The Vulnerability of Zero Trust: Lessons from the Storm 0558 Hack

Cyber Security

While IT security managers in companies and public administrations rely on the concept of Zero Trust, APTS (Advanced Persistent Threats) are putting its practical effectiveness to the test. Analysts, on the other hand, understand that Zero Trust can only be achieved with comprehensive insight into one’s own network.

Just recently, an attack believed to be perpetrated by the Chinese hacker group Storm-0558 targeted several government agencies. They used fake digital authentication tokens to access webmail accounts running on Microsoft’s Outlook service. In this incident, the attackers stole a signing key from Microsoft, enabling them to issue functional access tokens for Outlook Web Access (OWA) and Outlook.com and to download emails and attachments. Due to a plausibility check error, the digital signature, which was only intended for private customer accounts (MSA), also worked in the Azure Active Directory for business customers.

Embracing the Zero Trust Revolution

According to a report by vendor Okta (State of Zero-Trust Security 2022) 97% of respondents are already engaged in a zero-trust strategy or plan to implement one within the next 18 months. This has increased the percentage of Zero Trust advocates from 24% (2021) to 55% (2022). The security model known as Zero Trust is an overarching security strategy designed to continuously audit and verify access to resources, both internally and externally. Many organizations are embracing this security strategy based on the principle that network devices and users must constantly prove their identity, as they are not automatically trusted.

Zero Trust relies on continuous monitoring and dynamic control for applications, users and devices. It limits access to resources to the absolute minimum and all identities on the platform are evaluated using the same criteria as hosts. The overarching goal is to enhance security by granting access only to those who continuously prove their identity and whose behavior is under constant scrutiny.

Peering Past the Perimeter: What is Really Happening in Your Network

Identity and access management (IAM) undoubtedly play a fundamental role in Zero Trust. Unfortunately, constant verification of users’ identities proves ineffective in cases of stolen identity. Moreover, attackers can bypass these systems by manipulating meta-information, such as the geolocation of a potential login, using a spoofed VPN address. IDS/IPS systems are tasked with detecting suspicious or unauthorized activity, virus infections, malware and ransomware, zero-day attacks, SQL injection and more. However, IDS/IPS systems often only detect known signatures, such as previously identified malicious domains or IP addresses. If a domain hasn’t been flagged as malicious beforehand, conventional security solutions may overlook it, allowing attackers to exploit the weak link in the chain. Consequently, traditional cybersecurity systems can sometimes falter when it comes to actualizing Zero Trust in action.

To implement a Zero Trust security strategy effectively, organizations are increasingly turning to network analysis tools, as recently recommended by the analyst firm Forrester (“The Network Analysis and Visibility Landscape, Q1 2023”). According to the Forrester report, security and risk professionals should employ Network Detection and Response (NDR) tools to monitor their networks, search for threats, detect applications and assets, and capture malicious data packets. These actions contribute to the effective detection of threats within IT infrastructures.

Network Detection & Response (NDR): The Unsung Hero of Zero Trust Security

NDR solutions are vital for creating a resilient and effective Zero Trust architecture. They provide real-time visibility into network traffic, monitor user behaviour and device activity, and enable swift detection and response to suspicious network operations or anomalous activities. This visibility extends to all operating systems, application servers, and IoT devices.

Forrester has highlighted that the significance of enterprise networks in cyberattacks is often underestimated. Cybercriminals use fake identities or zero-day exploits to infiltrate corporate networks, then move laterally across the network to search for targets, gain access to privileged systems, install ransomware or other malware, and exfiltrate corporate data. NDR facilitates internal reconnaissance—where the attacker surveys potential targets—or lateral movement detection when the attacker is already in the network. NDR systems gather data from all switches and operate entirely without agents, which may not be installable in many environments.

Machine Learning NDR: The New Standard in Anomaly Detection

With Machine Learning (ML), Network Detection and Response (NDR) systems are capable of detecting traffic anomalies without relying on pre-stored, known “Indicators of Compromise” (IoCs). These ML models are designed to be continuously trained, enabling them to detect new threats and attack techniques. This approach significantly accelerates the detection of malicious activities and enables early attack mitigation. Moreover, it aids in identifying unknown, suspicious behaviour and minimizes the time attackers can dwell unnoticed within a network, thereby enhancing overall security.

 How ExeonTrace, a leading ML-based NDR, analyzes meta data in order to provide network visibility, anomaly detection and incident response.

Machine learning algorithms establish the baseline of normal network behaviour by analyzing data and algorithms to learn what is “normal” for the network in communication patterns. These algorithms are trained to learn what constitutes “normal” activity for the network, thereby enabling them to detect deviations from this established baseline. Examples of such deviations include suspicious connections, unusual data transfers, traffic patterns that fall outside established norms, lateral movements within the network, data exfiltration, and more.

Exeon is a leading NDR solutions provider headquartered in Switzerland with a strong knowledge base and a foundation rooted in cybersecurity expertise. The NDR platform, Exeon Trace, offers comprehensive network monitoring powered by advanced Machine Learning technology. It enables automated detection of potential cyber threats, making it an essential tool for Security Operations Center (SOC) teams and Chief Information Security Officers (CISOs), who are committed to implementing and maintaining a robust Zero Trust security strategy.

Interested in seeing how NDR from Exeon fortifies cybersecurity and enables effective Zero Trust implementations? Consider booking a demo with Exeon to witness firsthand how Zero Trust and cyber resilience are brought into action!


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.