Given the events of the past few months, the Executive Order issued on May 12th was long overdue. President Biden took office in the midst of the SolarWinds incident, and his first months saw even more dire revelations: attacks on tens of thousands of organizations that use Microsoft’s Exchange email server and - just last week - the crippling ransomware attack on the Colonial gas pipeline serving the U.S. East Coast. (Read our post: A Lesson From The Pipeline Hack: Secure Active Directory Now.)
As we noted: the Executive Order (EO) is a big step in the right direction for the federal government. Among other things, the EO puts a premium on cyber resilience - being able to withstand attacks, not simply prevent them. It also embraces the concept of “zero trust architecture,” mirroring the movement of private sector firms towards identity-centric security.
But what does the Executive Order mean for executives and IT security teams who must comply with it? How can federal agencies and contractors operationalize the requirements of the Executive Order? That’s what we’re breaking down here.
The Zero Trust Rorschach
First up is a note of caution. IT executives and security leads need to recognize that “Zero Trust” and variants like “Zero Trust Architecture” or “Zero Trust Networking” are something of a Rorschach test in the information security field. In other words: “Zero Trust” is a concept with a definition (at least in the abstract), but about which there are countless spins and interpretations that lack sufficient clarity at the engineering level.
Zero Trust Networking can be traced back to Forrester Research analyst John Kindervag, who coined the phrase in 2010 to describe a “perimeter-less” network and the belief that no IT environment will be 100% successful in avoiding a compromise. As defined in the Executive Order, Zero Trust Architecture describes a security model that boils down to “assume breach” - either it has likely occurred or is inevitable. Practically, that means “constantly limiting access to only what is needed” using “granular risk-based access controls” and conducting “comprehensive security monitoring” to look for “anomalous or malicious activity.”
Unfortunately, the problem for IT executives is that “zero trust” is now a phrase that will be tacked on security solutions of every stripe, whether they honestly address the underlying challenges to establishing zero trust architectures or not. That was true already. But now, it's an architecture endorsed by the White House, caveat emptor!
What Is (and Isn’t) Zero Trust
To start: it isn’t a security silver bullet: an appliance, service or “single pane of glass” that “automagically” identifies sophisticated compromises or directly solves any of your other security problems.
Zero Trust Architecture is about establishing what we, at QOMPLX, describe as ground truth: an assurance that you know both who and what is operating in your IT environment. Zero trust is knowing that you can trust that the activity you are observing is all that is transpiring. Visibility. Further, it is the confidence to connect that behavior back to entities that you have explicitly provisioned access to - and no more - and that they are who- or what they appear to be. Authentication at the core!
“Zero Trust Architecture” is predicated on robust identity management and monitoring. That is why Section 3(d) of the Executive Order mandates adoption of multi factor authentication to thwart run-of-the-mill account takeovers and asks for audits of Trusts. It is also why the EO, in Section 4, goes deep on software supply chain security, emphasizing both the integrity of software components (SBOM - or Software Bill of Materials) and the auditing of “trust relationships” between government entities and software supply chain partners. Both requirements speak to the need for organizations to establish and verify this ground truth. Recent incidents like the Colonial Pipeline ransomware attack and the compromise of Solar Winds have highlighted the multi-million dollar cost of failure for organizations very clearly.
Operationalizing the EO: Zero Trust, But Verify
Speaking practically: what will it mean for government agencies, contractors and suppliers to “operationalize” the directives in the EO? At QOMPLX, we believe the key to doing that is to know, first, what is operating within your environment. Second, organizations must be able to monitor and validate fundamental controls and protocols, including identity. In other words, organizations need to “zero trust, but verify,” to spin a familiar security principle.
What do we mean by that? Consider that in most sophisticated offensive cyber operations today, the attackers look to disappear within the compromised environment: obtaining administrator level credentials and access. Exploiting Active Directory and Cloud Identity providers is a mainstay. This allows them to fade into the background noise of credentialed, authenticated network activity. If you control auth you can bypass authorization. From there, attackers can do what they want: adding or modifying users, accessing or changing data, services and configurations.
That’s why critical identity infrastructure is so important, such as Active Directory and Kerberos. That legacy identity infrastructure is what QOMPLX CSO Andy Jaquith describes as an “overstuffed Turkey'' of critical data including active users and passwords, IT assets like servers and workstations and entitlements. Attackers have grown fat feasting on that turkey, for example by manipulating Kerberos to enumerate active accounts, or by surreptitiously padding privileged user groups with compromised or phony user identities. Or just forging SAML tokens to access cloud resources.
The Bottom Line: The White House EO sees “Zero Trust Architecture,” as the path to reliable government (and private sector) IT security. But maintaining “zero trust” in the integrity of your network - while still relying on that network - demands complete trust in your identity provider, user identities, and so on.
“Zero trust,” in other words, means you need total trust in something else: Active Directory and the Kerberos protocol for on premise and SAML protocol and your cloud identity provider. That’s where QOMPLX comes in. We actually watch that stuff. Turns out to be important.
How We Can Help
“Zero Trust” assumes that some attacks will be successful, but that rapid detection will limit the damage they cause, increase the cost to adversaries, and decrease the cost for victims.
QOMPLX’s technology helps organizations verify their “zero trust” environment by spotting a wide range of Kerberos attacks like Kerberoasting and Pass the Hash, as well as forgery attempts like Golden Ticket as Silver Ticket. QOMPLX can even protect cloud environments or complex federated environments with detections like those for Golden SAML attacks against cloud identity providers. QOMPLX’s technologies also minimize the “blast radius” of an intrusion by giving defenders deep visibility into privilege- and authentication events in their network that may indicate an emerging attack or compromise.
QOMPLX’s team has operated some of the largest Active Directory implementations in the world and works with both private sector firms and the U.S. government. If you want to learn more about how QOMPLX can help you comply with the new Executive Order or implement Zero Trust architecture with necessary verification of authentication, request a meeting with QOMPLX or use the form below to contact us.