What’s the Fuss with Zero Trust?
In practice, the zero trust security model means never trusting, always verifying users’ identities in an effort to combat fraud, and only granting access once it is confirmed that users are who they say they are through authentication methods. At its core, identity is a key component of zero trust. And with increasing cyber threats putting organizations at risk, ensuring only authorized users gain access to networks is critical for the private and public sector alike.
Government agencies continue to be a significant target for threat actors, as evidenced in an escalation of sophisticated, high-impact ransomware incidents against critical infrastructure organizations. As part of our 2024 Annual Identity Exposure Report, SpyCloud researchers wanted to learn how government agencies fared in data breaches last year, since stolen credentials add powerful ammunition to ransomware attacks. We found 723 breaches containing .gov emails in 2023, compared to 695 in 2022.
The resulting compromised credentials give threat actors a potential foothold inside of those agencies – and this risk is compounded given the high password reuse rate of 67% among .gov users with more than one password exposed in the last year.
With identity being the crux of zero trust, the sheer amount of data exposed on the darknet from .gov email addresses is enough to make the case for implementing this type of initiative across federal government agencies.
Implementing Zero Trust for the U.S. Government
Governments appear to be ahead of their private sector peers when it comes to implementing zero trust, with 72% of government organizations already using a zero trust model, compared to 56% of companies. In the U.S., zero trust is a cybersecurity initiative championed from the top levels of government.
To strengthen national cybersecurity and “reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns,” the White House issued a memo in January 2022 outlining the U.S. Federal Government’s move to a zero trust strategy. The memo states that:
“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.”
As part of the U.S. Government’s implementation of a zero trust strategy, agencies are required to meet certain cybersecurity standards in which they verify anything and everything attempting to access agency networks by the end of 2024.
According to a Government Accountability Office report, the U.S. Department of Defense (DoD) has reported over 12,000 cyber incidents since 2015, effectively making the case for the federal zero trust strategy across the government. The DoD launched its zero trust strategy in November of 2022, with the intent to:
In an effort to provide further guidance on the User pillar of the government’s zero trust framework, the National Security Agency (NSA) released a Cybersecurity Information Sheet (CIS) entitled, “Advancing Zero Trust Maturity Throughout the User Pillar” in March 2023. The sheet gives agencies additional insights on how to enhance capabilities in identity, credential, and access management (ICAM) to effectively mitigate cyberattacks related to the impersonation of trusted users to gain access to critical data and systems.
Within the sheet, the NSA outlines the maturity phases for each area from preparation for zero trust through advanced zero trust maturity, and offers recommendations and examples for each level. Specifically regarding credential management, the NSA doubles down on its recommendations about issuing strong credentials, enabling MFA, and putting automated processes in place for the credential lifecycle, including from issuance, maintenance, re-issuance or replacement, expiration and revocation. The NSA says this guidance will enhance agencies’ ability to detect and respond to increasing cyberthreats, especially those targeted at our national security, critical infrastructure, and Defense Industrial Base (DIB) systems.
As more government agencies begin to implement zero trust, making sure bad actors don’t gain access to their networks is a key focus area to a successful strategy, and authentication methods including credentials and MFA are a major component of that implementation – as is continuous monitoring to ensure those methods aren’t compromised.
Identity Recommendations To Enhance Zero Trust Strategy
Key tenets of the government’s zero trust strategy include MFA and secure password policies. However, we would argue that even more emphasis should be put on these authentication methods as they aren’t fool proof.
While enforcing MFA does add another critical layer of security, it is also a preventive measure that adversaries are able to bypass. To increase MFA’s effectiveness, agencies must prepare for the threat of malware. Web session cookies are just one type of authentication data that malware siphons, and with this information, cybercriminals and advanced persistent threats alike can gain access to mission-critical applications and move virtually undetected through your network, performing espionage, exfiltrating files, and launching ransomware attacks.
Strong password policies are another way to ensure access is only granted to authorized users, but enforcing them can be another challenge. With poor password hygiene plaguing government agencies as evidenced in our Annual Identity Exposure Report, stolen credentials from government agencies can be used to gain unauthorized access to networks and wreak havoc on not only government employees, but constituents as well. While NIST offers guidelines for password policies, SpyCloud recommends additional tips for strong passwords, including the use of complex passwords and ensuring unique passwords across accounts.
Further, recapturing data early is critical to mitigating the threat of attack. The later breach or malware data is recaptured, the wider the exposure window and the higher the risk of cyberattacks using compromised credentials. Speed of data recovery makes it possible to reset passwords proactively, before criminals use them to cause harm.
NIST Guidelines agree: “Most ransomware attacks are conducted through network connections, and because ransomware attacks often start with credential compromise, proper credential management is an essential mitigation, although not the only mitigation needed.”
How Darknet Data Enables Zero Trust
A mature zero trust strategy must seek to proactively secure user identities, regardless of device or network, by preparing for the limits of protective measures and deepening the risk assessment of each user.
As the leader in Cybercrime AnalyticsTM with the world’s largest repository of recaptured assets from the darknet including stolen credentials and malware-infected devices, SpyCloud has become an essential component of zero trust. Insights from data on the darknet give you confidence in your users’ identities and protects their accounts (and your agency’s mission-critical systems and data) without creating unnecessary friction for your employees or extra work for your security team. It’s all about:
- Having access to the right data — the most current, relevant, and truly actionable breach and malware data
- The ability to detect exposed credentials and malware-infected devices before criminals have a chance to use them
- Being able to remediate account exposures automatically
SpyCloud solutions are aligned to several zero trust capabilities, including:
Visibility and analytics
Advanced Threat Protection, Risk Evaluation, and Dynamic Risk Scoring
Automation and orchestration
Governance
User
It is critical that the federal government and its contractors have comprehensive identity protection to strengthen their zero trust strategy. Ensuring only authorized users have access to government networks is imperative to our national security, and insights from the darknet about exposed identity data can help support that mission.
