defence connect logo



Separating fact from fiction — where zero trust makes sense for defence

Opinion: The ACSC Essential Eight is one of Australia’s most significant achievements in cyber defence — it’s often referred to and leveraged by other countries as the gold standard. However, many organisations fall into the trap of thinking that the Essential Eight is their final destination, rather than a baseline, writes Lee Roebig, customer CISO at Sekuro.

Opinion: The ACSC Essential Eight is one of Australia’s most significant achievements in cyber defence — it’s often referred to and leveraged by other countries as the gold standard. However, many organisations fall into the trap of thinking that the Essential Eight is their final destination, rather than a baseline, writes Lee Roebig, customer CISO at Sekuro.

In fact, various areas of the Essential Eight, including Multi-Factor Authentication (MFA) and patching, can be bypassed and/or exploited by an attacker in this modern threat landscape. This is particularly of concern to defence, given the growing threat of attacks against nation-states.

Most organisations, including defence, do know this, but they’ve often thought only a very determined attacker could bypass a lot of the mechanisms. But this isn’t always the case.


So, how can the Essential Eight be bypassed by attackers and how can implementing zero trust become a second line of defence for defence itself?

First of all – what is zero trust?

Zero trust is the concept that no person, device, object, or connection should be trusted until it is proven that it should be – and we must use as much context as possible before making that trust decision. Zero trust is also a fundamentally modern approach to cyber security to cater for modern technologies and a rapidly changing threat landscape.

In today’s world, organisations want to use modern technologies — like cloud-based SaaS products, but their cyber security program often isn’t ready for it. In the past, we placed far too much emphasis on perimeter security controls and far too much trust inside our internal network. These legacy approaches to security are now less effective, since our data and systems are often not within the four walls of our organisation, often rendering our previous controls powerless. Additionally, assumed trust inside our internal network leaves an organisation fully exposed once an asset is compromised.

So, we can see here that zero trust is about getting more context before trusting a decision. This goes well into our next subject – is username, password and MFA enough ‘context’ to grant a trust decision? I don’t believe it is any longer.

Four ways your MFA can be bypassed

Although a powerful control, MFA has become ubiquitous in even the smallest organisations and a default in many industries, including defence. As a result, attackers have begun to adapt their phishing techniques with various MFA bypass mechanisms.

As an example, things like legacy authentication methods (POP3, IMAP, etc) do not support MFA and will accept a username and password as successful authentication unless the protocol is disabled in the organisation’s productivity suite. Additionally, session cookie theft using man-in-the-middle techniques are simple, publicly available and very successful in tricking the user to not just share their username and password during a phishing session, but also their MFA token.

Then there’s the OAuth Grant bypass. The attacker tricks the user with a link in an email saying something like: “Please see document link here, as it’s too big to email. You can sign in with your secure corporate account to access”. The user opens the link, and sees a button they’re used to using all the time: “Sign in with Microsoft”. They click this, proceed to be shown the real Microsoft login page – they do their due diligence and even check the URL is correct (which it is). They then get prompted with a screen, saying an app wants to interact with their Microsoft account and ask if they want to grant access to their data. Most users do not read this screen carefully and click “approve” — they have become numb to these boxes as they show up all the time on the internet when we choose to “login with Google” or “login with Facebook”. After this, their account has not been accessed by the attacker, but all the data within it is available to the attacker over API – including the ability to manipulate it. As mentioned earlier, the data is what the attacker is after, not necessarily the login to the account itself.

The final workaround I’ll mention is MFA bombing. This method exists when the attacker has the username and password for someone’s account but reaches an MFA prompt screen. The attacker sees the user is utilising a push notification app to facilitate logins. They then bombard the user with MFA prompts on their device to grant their access. What often happens is the user clicks “accept” due to fatigue, or by accident.

Whilst MFA, a critical part of the Essential Eight, is a useful tool, it’s far from foolproof as increasingly sophisticated attackers continue to adapt their strategies. These examples show that in the defence industry, relying on MFA withoutzero trust as a second line of defence can have dire consequences.

Patching: A band-aid solution

The Essential Eight prioritises patching and vulnerability scanning very highly, and rightfully so when you consider that attackers use exploits to move throughout an organisation. However, there are methods whereby patching will not save an organisation from compromise or it may have too high a cost to maintain. In reality, many organisations that are resource-constrained collapse under the burden of thousands of vulnerabilities, patches and the like every month in their complex environment. Many have also not implemented strong preventative controls due to a lack of time, particularly the more difficult (but extremely valuable) like network segmentation – a key element of zero trust.

Beyond resource constraint, when patching, you’re reliant on the vulnerability being publicly exposed and a patch becoming available. On top of this, compromised credentials will allow an attacker to freely move throughout an enterprise, with no need to exploit vulnerabilities.

Whilst defence might have the time and resources to invest in patching and preventative controls, the same can’t be said for everyone in their supply chain. And we all know an organisation’s cyber defences are only as good as its weakest link.

The zero trust defence

As we peel back the layers of an attack – we can use an analogy of a road. The high-value system and data within it is the destination. The driver is the attacker, the vehicle is the system vulnerability and the road is the network permissiveness. We can’t stop the driver (attacker) from existing, and we can’t always remove the vehicle (the vulnerability), but what we should control is the road (the network). If there is no road available – whether the attacker or vehicle exists doesn’t matter. They simply cannot reach that destination (the data).

A strong zero trust framework will start by implementing network segmentation (host by host, not subnet to subnet) as a priority, starting with management ports and other high-risk ports and protocols. This mitigates an attacker’s ability to move throughout an organisation, even with a compromised account or available exploit. If the attacker can’t find the asset or port on the network, the security posture of the destination doesn’t matter. The pathway (network connectivity) does not exist to gain access to it, mitigating this completely.

An effective zero trust strategy will also deploy preventative techniques like application control and Endpoint Detection and Response (EDR) before patching. Many organisations try to fix patching first, when in fact it is mostly a corrective control. Now, this doesn’t mean patching is not necessary, quite the contrary. The point is to have the correct prioritisation of patching and to ensure the time spent is worth the end result. Once an organisation has EDR in prevention mode, application control in enforcement mode, and network segmentation driven by least privilege, they can then do focused patching and vulnerability management. This means focusing on what matters — not just the asset value, but also the exposure. This makes things a lot easier to maintain. If all assets are exposed, you’re stuck patching everything, all the time, and it takes far too long without a positive security outcome.

Whilst the Essential Eight is a major milestone for cybersecurity, on its own, it can only protect you so much. In defence, the stakes are too high to leave opportunities for smart attackers to bypass controls and processes outlined in the Essential Eight. That’s why defence, in fact, all industries, should look at stepping into a Zero Trust approach. This involves challenging the way things have been done, assuming that all controls could be bypassed, and marching a more secure path backed by real-world evidence whilst reducing complexity simultaneously.


Lee Roebig is the customer CISO at Sekuro

You need to be a member to post comments. Become a member for free today!