Zero Trust is currently one of the most talked about topics in the security industry. Its approaches and implementations may differ depending on the specific environment or deployments for different customers. This creates a wide range, from more "static" infrastructures to fully dynamic or hybrid, user applications deployment, usage, and BYOD in an enterprise environment.

While there are many vendors that have developed and offered tooling and guides around Zero Trust, from a security perspective visibility and verification are “musts.”

NIST's SP 800-207 are currently the most comprehensive standards. They are the most vendor-neutral, comprehensive standards for government entities and organizations alike.

Network visibility is an essential, easy, and non-intrusive way to create observables and early warning indicators of gaps for monitoring Zero Trust infrastructures and networks -- thus also ensuring early warnings of possible attack vectors that can be exploited by threat actors. Understanding both perspectives of how/what to monitor in Zero Trust infrastructures and where the monitoring hotspots can be is a basic and vital step for having correct security operations and visibility. The combination of understanding and exploring basic but effective APT tactics used by malware actors -- including abusing public infrastructure -- can provide an edge to SoC teams.

In this hands-on workshop, we will dissect real-world malware network capture examples (including endpoint processes and views) and the steps that malware actors go through from a Zero Trust network security monitoring perspective, including where public infrastructure abuse is involved. The initial vectors can be many, ranging from CVE/zero-days to stolen credential usage and executable content obfuscation. This workshop aims at exposing some tactics used by malware actors alongside ways to observe those on the network and how to test out cases mapped to MITRE TTP. We will also share ways to get and train on resources from publicly available data sources.

As defined by NIST
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component of the security posture of the resource. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.
[NIST] (https://csrc.nist.gov/publications/detail/sp/800-207/final)