NSA’s Zero Trust Network and Environment Pillar: 4 Key Takeaways for Security-Conscious Organizations

In March 2024, the U.S. National Security Agency (NSA) released a Cybersecurity Information Sheet (CIS) titled Advancing Zero Trust Maturity Throughout the Network and Environment Pillar.¹

This CIS focuses on one of the pillars of NSA’s Zero Trust Security (ZTS) Model: Network and Environment. It also provides recommendations related to this pillar to help organizations better protect their networks from intrusions and curtail adversarial lateral movements.

Let’s take a look at some of these recommendations plus four important takeaways from the CIS.

#1: Zero Trust is No Longer Just “Nice to Have”

Zero Trust, predicated on the principle of never trust and always verify, is not new but continues to emerge as a more effective cybersecurity approach than traditional perimeter security approaches.

One reason is that the “traditional network edge” no longer exists and is often referred to as “perimeterless”. As organizations move to the cloud and implement hybrid infrastructures, they find themselves exposed to a larger number and a wider variety of threats. Large remote workforces are also creating security concerns, as are expanding supply chain networks.

As attack surfaces expand, organizations need more than “inward-focused” perimeter security measures to safeguard their assets and data. They need end-to-end visibility into their networks, plus measures that allow them to consistently enforce security policies, control who can access data and resources, and quickly detect and respond to threats. Here’s where Zero Trust Security comes in.

ZTS emphasizes the continuous authentication, authorization, and validation of all users, devices, and connections before allowing them to access the organization’s applications or data. It also stresses adopting multi-layered defenses to protect the organization from both internal and external threats. These measures are crucial to maintain defense-in-depth (DiD) and protect enterprise networks, systems, and data from compromise.

#2: Network Segmentation Can Prevent a Compromise from Evolving into a Serious Breach

The Network and Environment pillar of the NSA ZTS framework recommends that organizations implement network segmentation “at the macro and micro levels”. Segmentation, a crucial element of a ZTS architecture, means dividing a corporate network into multiple sub-networks to improve its performance, enable monitoring, and most importantly, strengthen its security. This also includes the micro-segmentation of the policies themselves.

Segmentation improves network and organization security by:

• Restricting communications between networks
• Shielding the (segmented) network and its critical resources from unauthorized access
• Stopping harmful traffic from reaching vulnerable or business-critical devices
• Limiting the spread of cyberattacks

For optimal security, it’s best to implement both macro- and micro-segmentation.

Macro-segmentation involves dividing a network into multiple discrete sub-networks. It enables security teams to control the traffic between networks and better detect and curtail attackers attempting lateral movements.

Micro-segmentation also divides a network into segments. However, it provides more granular security because users, applications, and workflows are isolated into individual segments, and security controls are applied to each segment. Also, strict access policies are applied to limit lateral data flows, further reducing the attack surface and limiting the impact of attacks.

#3: Strong Access Controls Are Vital to Inhibit Lateral Movement

“Lateral movement” refers to the way cyberattackers move deeper through a network after gaining an initial foothold, moving across the IT infrastructure in an attempt to further infiltrate an organization in order to:

• Steal sensitive or confidential data (data breach)
• Encrypt devices or data for ransom (ransomware)
• Force the network to become non-operational (DDoS attack)
• Stay hidden in the network to perform further/long-term reconnaissance (cyber espionage)

In 2022, lateral movement made up 80% of cyberattacks on organizations but went undetected in 54% of cases. Also, attackers were able to remain inside enterprise networks for (a very long) 7 months on average before detection.²

It’s not easy to detect attackers once they start moving laterally through the network. It’s also hard to assess the damage they have already caused, and harder still to stop them from causing even more.

The best way to avoid the potentially catastrophic consequences of an attack is to stop adversaries from entering the network to begin with. One way to do this is with strong access controls. The NSA CIS recommends implementing these controls to curtail lateral movement:

• Write access policies into firewall rules based on security policies.
• Implement granular policy restrictions to logically and physically segment, isolate, and control access.
• Apply these restrictions both on-premises and off-premises.
• Control the traffic moving between various network areas through macro segmentation.
• Implement network boundaries to separate sub-organizations and prevent users in sub-organizations from accessing the resources on other sub-organizations’ network segments

#4: Defense-in-Depth for a Network Requires Data Flow Mapping and Software-Defined Networking (SDN)

Strong internal network controls can improve an organization’s DiD posture. One such control is, of course, network segmentation. The NSA also recommends three other crucial measures that deliver DiD security for enterprise networks:

Data flow mapping

Mapping their data flows enables organizations to discover data misuse. Detailed, up-to-date data maps enable their security teams to identify anomalous or malicious data behaviors, and take appropriate action to mitigate threats. Maps also highlight where the data is not encrypted – and therefore vulnerable to misuse – and provide useful inputs for network segmentation.

Software-defined networking

The NSA recommends integrating SDN components into existing infrastructure because SDN allows centralized monitoring, control, and alerting of the enterprise network. It also provides holistic visibility into the network and its security threats, simplifies network management, and makes it easy to enforce unified security policies.

Data encryption

The NSA CIS recommends that data senders should implement end-to-end encryption or leverage virtual private networks (VPNs) to protect data-in-transit.

Conclusion

The latest CIS from the NSA provides a lot of useful guidance to help organizations strengthen their network security controls and thus, reduce their attack surface.

Another effective way to reduce your organization’s attack surface beyond adopting zero-trust security policies is implementing a robust attack surface management (ASM) solution. BreachLock’s ASM solution will continuously monitor your attack surface to help you keep track of and prioritize potential emerging threats to create a security roadmap and implement true defense-in-depth.

Want to know more about BreachLock ASM? Schedule a free discovery call with our experts.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References

1.  Advancing Zero Trust Maturity Throughout the Network and Environment Pillar
2. Top Lateral Movement Techniques – The Red Team Edition