Why Packet Capture is Important for Zero Trust

• Contents
• What is Zero Trust?
• What are the Basics of Zero Trust?
• Does Zero Trust Require a New Security Tool Suite?
• How Does Packet Capture Help Zero Trust?

What is Zero Trust?

Perimeter based network security is no longer sufficient, a clear boundary no longer exists because of the complexities in our networks, services, and how our teams need to work. Our security architectures can no longer rely on the traditional castle and moat strategy of the past, threats are easily evading traditional defences.

From the NIST standard: 

A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement.

A Zero Trust Architecture (ZTA) is a revolution in how we think about cyber security, it forces us to recognise that network locality is not sufficient for deciding trust, and that threats always exist. At its core the philosophy of zero trust requires us to evaluate trust on a per-transaction basis rather than a location basis, and implement a feedback loop to monitor and measure security posture.

NIST published SP 800-207 in 2020 with 59 pages of detail on the fundamentals of a ZTA.

What are the Basics of Zero Trust?

In short, “Zero Trust” = “Never Trust, Always Verify”.

A Zero Trust Architecture (ZTA) is built on seven basic tenets which can be boiled down to these main themes:

• Assume attackers are always present on an Enterprise network. Communications must always be secure.
• Location is no longer sufficient to determine trust. Threats can come from anywhere including; internal networks, external networks, VPNs, cloud, VPCs, authenticated WiFi, Secure Networks, BYOD, or corporately managed machines.
• Every device, user and communication must be authenticated and authorised for each service they consume, every time they request it.
• Security and access policies must be dynamic and based on the security posture of the requesting asset.
• Closed loop feedback is critical, monitor and collect data on the network and infrastructure to continuously review and improve security posture.

There are several approaches organizations can use to enact a ZTA by adopting one or a mix of the following:

• Enhanced identity governance,
• Micro-segmentation of the network,
• Software Defined Perimeters using Software Defined Networks.

Does Zero Trust Require a New Security Tool Suite?

No, but it most likely requires you to enhance, extend, or augment your existing security controls and monitoring tools.

Zero Trust leverages technologies available today and defines architectures and general deployment models to improve security posture. It does not specify which technologies to use, however there are many technologies that will be essential when migrating to a Zero Trust Architecture.

For example, existing AAA (Authentication, Authorization and Accounting) technologies may be leveraged to authenticate users and grant them permission to use a resource that was previously trusted and open to all internal users. This may require upgrading resources to utilize AAA on a per session basis, and this may be augmented with two factor authentication (2FA) for extra security.

Threat detection tools may be integrated with AAA to enact dynamic restrictions in the case where an asset displays behaviours that indicate increased risk level. For example if port scanning activity is detected on a host machine, it should be flagged as suspect and access privileges should be reduced or removed.

It’s very likely that you will need to augment your environment with network monitoring, network packet capture, centralised logging and processes to audit transactions and usage of the network. This is an area that is often lacking but is the essential feedback loop that allows you to review and continuously improve security robustness.

These are just a few of the many aspects to consider as you plan your organization's migration to a ZTA.

For an introduction to packet capture read "What is Network Packet Capture?"

Learn more

How Does Packet Capture Help Zero Trust?

The 7^th tenet of ZTA is: 

The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

To fulfil this tenet, it’s important to have always-on continuous packet capture to record all the transactions that occur across your network, only then will you have the visibility to fully investigate threats and audit your network for suspicious or unsecured activity.

For example: In the earlier example of port scanning a potential threat was detected and dynamic policy adjusted to remove access to resources automatically, packet capture is then used to investigate the potential threat in greater detail. By examining packet evidence, we can determine the very nature of the suspicious activity. If activity detected was a non-threatening behaviour, policy can be adjusted to reduce the chance of false alarms in the future. If a threat was real, we can threat hunt further using packet capture to understand the full extent and seriousness of the threat and ensure that is has been fully contained.

Remember, Zero Trust is built on the premise that threats always exist on the network. So, it is important that we continually verify and audit the behaviours of our Zero Trust deployment. Packet capture evidence is key to ensuring our ZTA is responding to threats appropriately, not overly restricting access or generating false alarms and most importantly it must stop real threats before they do damage.

Packet capture is a powerful tool for keeping Zero Trust deployments safe, secure and running at their best.