Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Date: October 24, 2023
  • Home
  • >
  • We're on point
  • >
  • Protecting Government Apps and Workloads from Zero-Day Cyber Threats

In April 2023, CISA released Zero Trust Maturity Model Version 2, which added a fourth security maturity level and reaffirmed application and workload cyber requirements.

In this article we consider Application Threat Protections security levels within the Applications and Workloads pillar, and the additional mitigation required for residual risk. We will also supply a solution to address those residual risks.

Here are the new maturity levels for Threat Protections within the Applications and Workloads Pillar.

Table 1: Application and Workload: Threat Protections

Maturity FactorTraditionalInitialAdvancedOptimal
App Workflow

Integration

Minimal IntegrationBasic Integration

(mission critical apps)

Complete integration

(all apps)

Dynamic Integration

(all apps)

Threat scope
  • Known
  • Known
  • Some app- specific
  • Known
  • Some app- specific
  • Targeted
  • Real-time visibility
  • Content-aware protections against sophisticated, app-specific attacks
Residual Risks1) Legacy – Unsupported Hardware, Software, OS’s

2) Zero Day Attacks

In moving through the maturity levels (left to right in the Application and Workload: Threat Protections table above) your agency will reduce its risk with an ever-shrinking risk residual to your applications and workloads.

However, there are still two residual risk scenarios, regardless of the level of maturity the agency reaches: Legacy systems and Zero-Day attacks.

Legacy Systems

Legacy systems–in this article’s context–refer to systems that cannot move through the maturity model due to lack of support. Legacy systems examples include Windows 2003, Windows 2008 R2, and Microsoft Exchange 2013.

Traditional endpoint security (EDR/MDR/XDRs) relies on post-incident detect and respond, are challenged to stop zero-day persistent threats. These attacks often pin-down agencies with tough decisions/responses, such as turning off compromised services during an attack to block the active threat.

Agencies may have these legacy systems deployed. Over time, bad actors find and exploit the legacy systems based on no supported mitigations from the product or security vendors. Adversaries also create new risk by finding new vulnerabilities in legacy systems.

Legacy systems’ endpoint risks can often be mitigated with technical compensating controls such as inline Intrusion Protection Systems (IPS) placed in front of the legacy systems. IPS is highly effective against vulnerabilities with known signatures and scales across multiple endpoints, but IPS relies on signature-based identification—leaving the host susceptible to Zero-Day attacks.

Zero-Day Attacks

Zero-Day attacks are vulnerabilities that are currently unknown and thus do not have a pattern (signature) to match the tactics and techniques exploited by bad actors.

Enter Virsec

Virsec, a T-Rex partner, stands in the gap between Zero Trust functions and Zero-Day attacks. By protecting apps and workloads from unknown attacks, as shown below, Virsec completes the Zero-Day architecture.

Figure 1: Enter Virsec: Zero Trust Security Posture

Virsec Security Platform (VSP)

The Virsec Security Platform supports Zero Trust 2.0 Application and Workload protection. The support comes in the form of a complementary Zero Trust approach as shown in the VSP Protection Engines shown below:

Figure 2: Virsec Security Platform (VSP)

Host Protection

The security engineer manages the host protection capabilities through two tabs in the VSP web interface: host protection and application control policies (ACP) as shown here:

Figure 3: Virsec Menu

The Host Protection table (shown below) allows the security engineer to curate and refine the Allowlist, as well as apply application control policies. VSP also supports three states for each endpoint: Disabled, Protect, and Detect (Detect highlighted in blue) allowing granular control for change control and acceptance during Zero Trust projects.

Figure 4: Compliant Caption : Host Protection Table

App Control Policies

In addition to the host protections shown in the Host Protection Table (above), the host protections also support OS based application-level protections. The following screenshot shows one Linux and two Windows App Control Policies (ACPs). The security engineer may apply ACPs at the same time as Host Protections or later to limit the amount of change during deployments.

The following screenshot gives an example of one Linux and two Windows ACPs:

Figure 5: Linux and Windows ACP

For a complete list of supported Operating Systems, please refer to VSP2.8_CompatibilityGuide.pdf (virsec.com)

VSP ships with a variety of ACPs, but to get a feeling for its functionality, one of the default Application Control Policy (ACP) templates out-of-the-box is for Linux Systems with a strict match for protection of the native Linux route command is shown here:

Figure 6: Default ACP

Call Out: Commands such as route, arp, ping, ifconfig have valid use by cyber and system staff, but they are also ideal tools for hackers to use as discovery when seeking targets.

Additional VSP Application Protections

VSP’s Application Protection supplies added Zero Trust Application Protection (ZTAP) by automatically instrumenting the application workflow for multi-layer in-line monitoring through the application stack. For example, the TomCat/Java stack has multiple sectors and surfaces for attack. VSP enables protection across those sectors and here is an example protection stack screenshot from the VSP console.

Figure 7: Additional VSP Protections (Vulnerability Protection)

Additional VSP Application Protections

This section covers VSP in action for a Zero-Day attack. The example scenario is using Kali Linux and a Log4J attack against a Windows 2012 host. This example covers both scenarios of Zero-Day attack and Legacy as the host does not have a supported malware/end point protection stack available. (This is a chicken and egg issue to simulate a Zero-Day attack realistically with no hosts protections created since Log4j has been mitigated.)

The following diagram shows how VSP stops Log4J, at multiple stages of the attack.

Figure 8: Virsec Security Platform (VSP) – Applied Security Compensating Controls to Log4j

Here is the Host Protection policy for the victim (attacked) host:

Figure 9: Host Protection policy for the attacked host

For Application and Workload protections, VSP protects at the host level and the web application level.

The incident log for VSP protecting the victim is shown here:

Figure 10: Incident Log for VSP

The hacker would then experience the following output from the Log4j attack attempt.

Figure 11: Hacker Output Screen

Summary

The CISA Zero Trust 2.0 Maturity Model increases granularity in the model; however, addressing the inherent issues of Zero-Day exploits and legacy issues with unpatched vulnerabilities require added solutions and innovation. The Virsec Security Platform (VSP) is a strong solution to fill the gap for Zero-Day attacks and close the widening gap on securing legacy systems through its built-in capabilities: stopping Zero-Day attacks, ensuring zero dwell time, and continuous run-time protection.

T-Rex’s cybersecurity engineers and architects work with Federal agencies to speed their Zero Trust endeavors through T-Rex’s Zero Trust Accelerator and innovative tooling as shown here. Contact us at cybersecurity@trexsolutionsllc.com to discuss how we can assist in your Zero Trust program.


recently posted
Dr. Allen Harper on How T-Rex Helps Federal Agencies Meet the Zero Trust Challenge

Dr. Allen Harper on How T-Rex Helps Federal Agencies Meet the Zero Trust Challenge

The White House Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” calls for Federal agencies to adopt and implement zero trust architecture. In a recent interview with Washington Exec, T-Rex’s Executive Vice President of Cybersecurity Dr. Allen Harper discusses the […]

Enhancing a Security Hardening Validation Script through Sourcery AI

Enhancing a Security Hardening Validation Script through Sourcery AI

This blog post covers Sourcery’s integration with Visual Studio Code and Python, two standard tools included in security professionals’ development stacks. Sourcery is available at https://sourcery.ai and the Microsoft Visual Studio Code Extensions tab. To demonstrate Sourcery’s capabilities, we will […]

Exceed Cloud Migration Expectations with T-Rex and AWS

Exceed Cloud Migration Expectations with T-Rex and AWS

T-Rex continues to implement large scale cloud transitions with Amazon Web Services (AWS). Learn about the winning T-Rex/AWS collaboration on the 2020 Census:

Mission Critical Services – Essential for Every Program

Mission Critical Services – Essential for Every Program

Mission Critical Services (MCS) are a core offering for T-Rex. At its core, MCS centers around user experience (UX), ensuring that enterprise mission-critical programs are on track to successfully deliver and support the mission. MCS includes properly maintaining and supporting […]