Can ZTNA Prevent Social Engineering?
Social engineering is a trick that works.
Can a zero trust approach help prevent it or reduce the damage it can cause?
Let’s consider a recent data breach reported by a digital communications company, for example.
Social Engineering Attack Outcomes
In this case, threat actors used urgency to fool some company employees into giving away their credentials. Employees received text messages warning about expired passwords or schedule changes.
These messages came with a link to “log in” and directed employees to a spoofed login page, created by the threat actors to capture anything that’s typed in. At least some employees typed in their credentials.
Attackers leveraged this information to gain access to the network, and ultimately to explore data belonging to some of the company’s customers. In a post about the attack, the victimized organization notes that other companies are facing similar attacks right now.
In other types of social engineering attacks, threat actors sometimes leverage sophisticated voice phishing attacks, impersonating trusted organizations, or convincing victims to accept multi-factor authentication (MFA) push notifications initiated by the attacker. Once accepted, the threat actor has access to the Virtual Private Network (VPN) under the persona of the victim and can often access sensitive data and systems. This can also leave IT and security teams in the dark about what is happening within their environments.
While traditional VPNs are still widely used as an encrypted tool for remote access, blind spots such as those described above are contributing to a growing security crisis. VPNs allow too much access if breached, and provide numerous vulnerabilities for exploitation, creating a domino effect of network resources that are increasingly at-risk in the face of today’s modern threats.
How Zero Trust Can Mitigate VPN Risk
As more organizations recognize the limitations of VPNs, they are seeking alternatives to this outdated and alarmingly porous means of providing remote access to a network. This recognition, in turn, is fueling interest in zero trust access, a comparatively simple, scalable, and more secure method for accessing any application from anywhere. Zero trust works on the principle of providing users with “just-in-time" and “just-enough” access, with continuous authentication mechanisms to significantly reduce an organization’s attack surface, while delivering superior and seamless performance to its end users.
The prevalence of these social engineering attacks further highlights the need to introduce a Zero Trust Network Access (ZTNA) solution that protects against the one vulnerability that is impossible to “patch”: human error.
What Is a Zero Trust Approach?
At the foundational level, implementing a zero-trust approach to network access lets administrators provide access only to necessary resources, rather than the entire network, shrinking the potential attack surface. This granular permissions control, in turn, mitigates the impact of social engineering and credential stealing attacks.
However, leveraging ZTNA to combat social engineering goes beyond VPN replacement. This solution is deeply rooted in an interconnected security strategy.
At the forefront of this strategy is ensuring a tight interlock between the ZTNA solution and endpoint security agents. This can be accomplished by aggregating access management and endpoint security control via a single control plane. This approach solidifies a lock-step procedure to endpoint protection and ZTNA, by leveraging access management and endpoint security from the same tenant.
In addition, limiting the activation of endpoint security agents to a predetermined number of devices allows administrators to monitor the health and resource demand of their networks. This is important to ensure that rogue devices are not being added and only healthy devices are permitted network access.
Taking this a step further, mandatory user re-authentication when accessing private resources guarantees the use of continuous authentication to manage the release of important information. It also minimizes the amount of “runway” a threat actor may have obtained via illegal access.
These zero trust fundamentals work together to challenge social engineering threats by ensuring granular access control, limiting the negative consequences a social engineering attack can have on an organization.
Adding User and Entity Behavior Analytics to ZTNA
Poised atop ZTNA basics, the use of User and Entity Behavior Analytics (UEBA) is another potent weapon to combat social engineering.
UEBA is a powerful tool that notes normal user conduct patterns, and alerts administrators when abnormal behavior occurs. This anomalous behavior is often the first indication of malicious activity, such as intrusion by a threat actor via a credential-stealing or social engineering attack.
With UEBA and ZTNA working together, a deviation in behavior can trigger a temporary denial of access to network resources to only compromised accounts, until the threat actor can be flushed out. Championing the interlock between ZTNA and UEBA aids administrators in quickly identifying deviant behavior, then taking action to ensure critical resources are not compromised.
Utilizing these tools cooperatively also provides the opportunity for the early detection of (and response to) unusual and unauthorized data exfiltration. This activity is often an early indicator of a network imposter or a ransomware attack on an endpoint. The goal is to detect and respond swiftly before the compromise can infect the rest of the network.
Employing the use of a solution that can expertly manage the relationship between ZTNA fundamentals and UEBA is a critical weapon in the arsenal against stealthy and insidious attacks, such as social engineering.
ZTNA’s Built-In Threat Protection
Tying together ZTNA fundamentals and UEBA provides a high level of built-in threat protection. This methodology for detecting and protecting your organization also includes:
- Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) rules that can be employed to both identify malicious activity and policy violations and take action to prevent them, with reporting, blocking, or dropping, when they occur.
- Destination Reputation Analysis to understand if actors from known malicious destinations are attempting to access network resources, even when impersonating confirmed users with stolen credentials.
Working comprehensively, built-in threat protection is a key component of leveraging ZTNA. Not only can it detect social engineering attacks as they are happening, it can actively push back and prevent them. This protection secures the network before a threat actor can gain access and begin moving laterally across it.
Learn More
To learn more about harnessing the power of ZTNA to combat social engineering and other growing threat vectors with BlackBerry® cybersecurity solutions, click here.
