Connect with us
CCW 2024

Expert Speak

Five Questions to Ask Before Creating a Perimeter Security Plan



Written by Rudie Opperman, Engineering and Training Manager, EMEA at Axis Communication at Axis Communications

A well-protected perimeter is more than just a tall fence topped with barbed wire. It is a system of layered defences that are designed to deter, detect, and delay intruders. A robust security solution is essential for any organisation that wants to protect its assets and people.

The physical security market in the Middle East and North Africa (MENA) region was estimated at USD 1.8 billion in 2022 and is expected to see a CAGR of over 7% between 2022 and 2028. It’s clear that organisations in the region realise the value of security. However, developing a robust, carefully considered perimeter protection plan that protects premises and deters unauthorised persons before they can damage property or hurt customers or employees requires planning.

Here are five important questions to ask when designing a perimeter protection blueprint.

Is my technology up to date?
In fast-paced and high-technology regions such as the Middle East, using the most updated security solutions is essential for several reasons. The first is to ensure regulatory compliance. Organisations in critical infrastructure, or government entities, are often required by law to keep their security technology up to date to avoid penalties. This is relevant to both physical and cybersecurity, which work together to effectively secure organisations and their employees, assets, and premises.

Cybersecurity is receiving more attention from regulators than ever before, especially as ICT infrastructure and resources become critical assets across all industries. In Saudi Arabia, for instance, the National Cyber Security Strategy requires organisations to implement a number of security measures, including keeping security solutions up to date. The same applies to countries such as the UAE and Qatar.

The second is to improve product efficiency. Video motion detection technology has evolved from pixel-based analysis to smarter, object-based detection that issues alerts based on object type. The UAE and Saudi Arabia are excellent examples of where this versatile and powerful tool has helped to improve public safety, manage traffic, streamline the flow of people in public spaces, and provide insights and trends regarding that flow.

Recently, the Ajman Transport Authority in the UAE commenced the installation of surveillance cameras on all Abra ferries as part of its plan to enhance safety and security. The latest generation of smart IP devices and cameras utilise advanced analytics at the edge for proactive detection and decision-making. Furthermore, they are enhanced by innovative features such as radar detectors and thermal sensors.

The third reason to ensure you are using the most up-to-date technology is to ensure protection against cyberattacks. By its nature, Internet of Things (IoT) technology is connected to the Internet. This means IoT devices such as IP cameras and other endpoints are vulnerable to cyberattacks. Distributed denial-of-service (DDoS) attacks continue to grow in number and size, according to the latest Cloudflare research. In IoT-enabled, cutting-edge environments, these attacks can cripple perimeter security solutions by either crashing systems or blocking access to video footage.

This is where downloading the latest solution updates and patches can help better protect companies from cyber threats.

How will climate or environmental conditions affect my detection?
The Middle East’s climate and environmental conditions, such as high temperatures, high humidity, sand and dust storms, and strong winds, can affect security equipment. For facilities operating in extreme conditions, such as oil and gas, power plants, airports, and ports, operators must consider more than just the functions and features of security solutions.

Cameras with conventional optical sensors are not always sufficient for extreme lighting conditions such as low light or backlight. As a result, using the right sensor technology is key to achieving optimal visibility and range levels. Security cameras exposed to a constantly changing environment (humidity, moisture, or temperature) can corrode and malfunction. Issues can also appear when saline air, cleaning agents, and other harsh chemicals are present. This is true for use in coastal sites, food plants, medical facilities, and clean room environments.

IP cameras with a wide dynamic range or thermal technology and robust housings (usually stainless steel or polycarbonate) are more suitable for these conditions. Image stabilisation can also be a problem in windy conditions that cause vibration. Electronic image stabilisation (EIS) can reduce shaking caused by high- and low-amplitude vibrations and wind.

Who should receive the alert and how?
Monitoring perimeters at all times across multiple locations can be challenging. However, adding an intelligent and robust network video-based system, featuring IP audio and video analytics, to traditional security measures enables reliable intrusion detection. These solutions allow security personnel to survey perimeters whether they’re observing monitors, patrolling facilities, or off-premise using mobile devices.

Perimeter protection solutions evaluate situations and should notify personnel only when there’s a true threat. By dismissing non-threatening subjects or events, employees can better verify the nature of the risk and respond appropriately. This level of security helps businesses reduce false positives, lowers property damage and losses, and decreases business disruptions.

For example, in airport environments, security solutions with remote capabilities can quickly alert airport personnel, ensuring that intruders are apprehended before or, at worst, immediately after a breach occurs. Case studies of this include Jeddah and Madinah airports in Saudi Arabia, which have introduced modern technology to enhance customer safety and security efficiency, especially during high-traffic periods when Hajj pilgrims head to Mecca.

How should I determine what caused the alert?
The right perimeter protection solutions make identifying the cause of an alert or threat easier. For instance, thermal cameras can help to identify and deter threats. Thermal cameras with intelligent video analysis produce significantly fewer false alarms than optical cameras and are less sensitive to severe environmental conditions, such as extreme winds, sandstorms, and fog. Some thermal cameras are also equipped with EIS to keep them stable in windy conditions. When coupled with remote monitoring capabilities, thermals can quickly notify personnel to verify the threat in person or by using visual cameras.

Security equipment may have trouble identifying intruders in poor or extreme lighting conditions. However, cameras fitted with a wide dynamic range can help by restricting the scene to better view objects. Furthermore, though it may come at the expense of colour detail, cameras fitted with 940nm infrared light can illuminate dark scenes. Cameras with radar capabilities take detection a step further. By not being fully dependent on scene visibility, security personnel have a reliable solution that also minimises false alarms.

What is my required detection level?
Security personnel should eliminate blind spots along perimeters. Consider the need to detect threats at all distances and the real-world limitations of perimeter protection technology. For example, a thermal camera with ranges in excess of 300 metres may not be able to distinguish between humans and animals. System needs, environmental conditions, and terrain should all be considered when designing a perimeter security solution.

Looking to the future of security perimeter planning in the Middle East
|With the rapid development happening across the Middle East, prioritising security perimeter planning is essential. With the threat of crime and the responsibility of looking after critical infrastructure, businesses and organisations need to take every possible step to protect their assets and people, and a well-protected perimeter is an essential first line of defence against intruders. The right security professional can help you assess your needs and recommend the best security measures for your property.

Expert Speak

Scammers Target People Who are Newly Single, Wealthy, or Inexperienced With Using Online Platforms



Written by Doros Hadjizenonos, Regional Director at leading cybersecurity specialists Fortinet

With hundreds of millions of people using online dating platforms and nearly five billion using social media, the online space offers a rich hunting ground for scammers. Researchers at Georgia State University found scammers often target people who are newly single, wealthy, or inexperienced with using online platforms. However, people of all ages and from all walks of life have fallen victim.

Doros Hadjizenonos, Regional Director at leading cybersecurity specialists Fortinet, says fraudsters target users of social media and online dating apps in growing numbers. “So-called romance scammers typically create fake profiles to interact with users, build a relationship, and ultimately manipulate them to extract money,” he says. This may result in both financial losses and emotional trauma.

In the US alone, around 24,000 people collectively lost nearly $1 billion to romance scammers in 2021, according to the FBI. In the UK, the National Fraud Intelligence Bureau (NFIB) received 8,036 reports of romance fraud in the past year, with total losses amounting to over £92 million. In South Africa, there is an increase in reported romance scams, leading to some victims losing millions, their life savings, or their pensions.

Hadjizenonos notes that technology is helping romance scammers become even more sophisticated. “Deepfake photos, voice calls and videos, and letters or poems written by GenAI like ChatGPT, can be very convincing,” he says.

He believes AI could be used by social media platforms and dating sites to help reduce the risk to their users. “AI-enabled analytics can be used to pick up patterns in chats and raise alerts – without compromising individual users’ privacy,” he says. These tools could spot warning signs like persistent requests for personal details or money. “Platforms could also use biometric data to verify users against government identity systems.”

The most important measure to protect users against romance scams is awareness, he says. “People need to be very cautious online. They should think twice about sharing personal information, sending people money or private photos, or entertaining offers related to get-rich-quick schemes. They should also make use of the platform’s privacy settings and research their love interest’s social media footprint – if there’s no history and just one photo, this should be a red flag,” he says. “Scammers often steal other people’s profile pictures, so a reverse image search may indicate whether the new contract is who they say they are.”

Fortinet has highlighted several warning signs that individuals should be mindful of when engaging with a potential romantic partner online. These include:

  • Love bombing: Rapid declarations of love, discussions of marriage, and excessive flattery.
  • Distance: Persistent excuses for being unable to meet in person, such as remote work locations, living in another country, military postings, or frequent travel, along with a reluctance to engage in phone or video calls.
  • Requests for money: Initial small requests that gradually escalate to larger sums.
  • Unsolicited investment advice: Claims of being a skilled investor and promises to help make easy money.
  • Drama: Seeking urgent financial assistance under the pretence of a medical emergency, accident, arrest, or other unforeseen events, often accompanied by a plausible explanation for their inability to access their funds.
  • Requests for explicit photos: Seeking private photos that could be exploited for extortion.
  • Inconsistencies in communication style: Multiple scammers taking turns to manipulate the victim.

Being aware of these red flags can help individuals protect themselves from potential romance scams and online exploitation. “Remain open to the magic of finding love this Valentine’s Day, but remember to tread carefully and stay vigilant. It’s crucial not to let romance cloud your judgment,” Hadjizenonos concludes.

Continue Reading

Cyber Security

HijackLoader Expands Techniques to Improve Defense Evasion



Written by Donato Onofri, Senior Red Team Engineer at CrowdStrike; and Emanuele Calvelli, Threat Research Engineer at CrowdStrike

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defence evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defence evasion stealthier.

The second technique variation involved an uncommon combination of process doppelgänging and process hollowing techniques. This variation increases the complexity of analysis and the defence evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Infection Chain Overview

The HijackLoader sample CrowdStrike analyzed implements complex multi-stage behaviour in which the first-stage executable (streaming_client.exe) deobfuscates an embedded configuration partially used for dynamic API resolution (using PEB_LDR_DATA structure without another API usage) to harden against static analysis.
Afterwards, the malware uses WinHTTP APIs to check if the system has an active internet connection by connecting to https[:]//nginx[.]org.

If the initial connectivity check succeeds, then execution continues, and it connects to a remote address to download the second-stage configuration blob. If the first URL indicated below fails, the malware iterates through the following list:

  • https[:]//gcdnb[.]pbrd[.]co/images/62DGoPumeB5P.png?o=1
  • https[:]//i[.]imgur[.]com/gyMFSuy.png;
  • https[:]//bitbucket[.]org/bugga-oma1/sispa/downloads/574327927.png

Upon successfully retrieving the second-stage configuration, the malware iterates over the downloaded buffer, checking for the initial bytes of a PNG header. It then proceeds to search for the magic value  C6 A5 79 EA, which precedes the XOR key (32 B3 21 A5 in this sample) used to decrypt the rest of the configuration blob.

Following XOR decryption, the configuration undergoes decompression using the RtlDecompressBuffer API with COMPRESSION_FORMAT_LZNT1. After decompressing the configuration, the malware loads a legitimate Windows DLL specified in the configuration blob (in this sample, C:\Windows\SysWOW64\mshtml.dll).

The second-stage, position-independent shellcode retrieved from the configuration blob is written to the .text section of the newly loaded DLL before being executed. The HijackLoader second-stage, position-independent shellcode then performs some evasion activities (further detailed below) to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe.The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.

The third-stage shellcode implements a user mode hook bypass before injecting the final payload (a Cobalt Strike beacon for this sample) into the child process logagent.exe. The injection mechanism used by the third-stage shellcode leverages the following techniques:

  • Process Doppelgänging Primitives: This technique is used to hollow a Transacted Section(dll) in the remote process to contain the final payload.
  • Process/DLL Hollowing: This technique is used to inject the fourth-stage shellcode that is responsible for performing evasion before passing execution to the final payload within the transacted section from the previous step.

The figure below, details the attack path exhibited by this HijackLoader variant.

Main Evasion Techniques Used by HijackLoader and Shellcode

The primary evasion techniques employed by the HijackLoader include hook bypass methods such as Heaven’s Gate and unhooking by remapping system DLLs monitored by security products. Additionally, the malware implements variations of process hollowing and an injection technique that leverages transacted hollowing, which combines the transacted section and process doppelgänging techniques with DLL hollowing.

Like other variants of HijackLoader, this sample implements a user mode hook bypass using Heaven’s Gate (when run in SysWOW64) — this is similar to existing (x64_Syscall function) implementations. This implementation of Heaven’s Gate is a powerful technique that leads to evading user mode hooks placed in SysWOW64 ntdll.dll by directly calling the syscall instruction in the x64 version of ntdll.

Each call to Heaven’s Gate uses the following as arguments:

  • The syscall number
  • The number of parameters of the syscall
  • The parameters (according to the syscall)

This variation of the shellcode incorporates an additional hook bypass mechanism to elude any user mode hooks that security products may have placed in the x64 ntdll. These hooks are typically used for monitoring both the x32 and x64 ntdll. During this stage, the malware remaps the .text section of x64 ntdll by using Heaven’s Gate to call NtWriteVirtualMemory and NtProtectVirtualMemory to replace the in-memory mapped ntdll with the .text from a fresh ntdll read from the file C:\windows\system32\ntdll.dll. This unhooking technique is also used on the process hosting the final Cobalt Strike payload (logagent.exe) in a final attempt to evade detection.

Process Hollowing Variation

To inject the subsequent shellcode into the child process cmd.exe, the malware utilizes common process hollowing techniques. This involves mapping the legitimate Windows DLL mshtml.dll into the target process and then replacing its .text section with shellcode. An additional step necessary to trigger the execution of the remote shellcode is detailed in a later section.

To set up the hollowing, the sample creates two pipes that are used to redirect the Standard Input and the Standard Output of the child process (specified in the aforementioned configuration blob, C:\windows\syswow64\cmd.exe) by placing the pipes’ handles in a STARTUPINFOW structure spawned with CreateProcessW API.

One key distinction between this implementation and the typical “standard” process hollowing can be observed here: In standard process hollowing, the child process is usually created in a suspended state. In this case, the child is not explicitly created in a suspended state, making it appear less suspicious. Since the child process is waiting for an input from the pipe created previously, its execution is hanging on receiving data from it. Essentially, we can call this an interactive process hollowing variation.

As a result, the newly spawned cmd.exe will read input from the STDIN pipe, effectively waiting for new commands. At this point, its EIP (Extended Instruction Pointer) is directed toward the return from the NtReadFile syscall. The following section details the steps taken by the second-stage shellcode to set up the child process cmd.exe ultimately used to perform the subsequent injections used to execute the final payload.

The parent process streaming_client.exe initiates an NtDelayExecution to sleep, waiting for cmd.exe to finish loading. Afterwards, it reads the legitimate Windows DLL mshtml.dll from the file system and proceeds to load this library into cmd.exe as a shared section. This is accomplished using the Heaven’s Gate technique for:

  • Creating a shared section object using  NtCreateSection
  • Mapping that section in the remote exe using NtMapViewOfSection

It then replaces the .text section of the mshtml DLL with malicious shellcode by using:

  • Heaven’s Gate to call  NtProtectVirtualMemory on exe to set RWX permissions on the .text section of the previously mapped section mshtml.dll
  • Heaven’s Gate to call NtWriteVirtualMemoryon the DLL’s .text section to stomp the module and write the third-stage shellcode

Finally, to trigger the execution of the remote-injected shellcode, the malware uses:

  • Heaven’s Gate to suspend (NtSuspendThread) the remote main thread
  • A new CONTEXT (by using NtGetContextThread and NtSetContextThread) to modify the EIP to point to the previously written shellcode
  • Heaven’s Gate to resume (NtResumeThread) the remote main thread of exe

However, because cmd.exe is waiting for user input from the STDINPUT pipe, the injected shellcode in the new process isn’t executed upon the resumption of the thread. The loader must take an additional step:

  • The parent process exe needs to write (WriteFile) \r\n string to the STDINPUT pipe created previously to send an input to cmd.exe after calling NtResumeThread. This effectively resumes execution of the primary thread at the shellcode’s entry point in the child process cmd.exe.

Interactive Process Hollowing Variation: Tradecraft Analysis

We have successfully replicated the threadless process hollowing technique to understand how the pipes trigger it. Once the shellcode has been written as described, it needs to be activated. This activation is based on the concept that when a program makes a syscall, the thread waits for the kernel to return a value.

In essence, the interactive process hollowing technique involves the following steps:

  • CreateProcess: This step involves spawning the exe process to inject the malicious code by redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less suspicious. Waiting to read input from the pipe, the NtReadFile syscall sets its main thread’s state to Waiting and _KWAIT_REASON to Executive, signifying that it’s awaiting the execution of kernel code operations and their return.
  • WriteProcessMemory: This is where the shellcode is written into the exe child process.
  • SetThreadContext: In this phase, the parent sets the conditions to redirect the execution flow of the exe child process to the previously written shellcode’s address by modifying the EIP/RIP in the remote thread CONTEXT.
  • WriteFile: Here, data is written to the STDIN pipe, sending an input to the exe process. This action resumes the execution of the child process from the NtReadFile operation, thus triggering the execution of the shellcode. Before returning to user space, the kernel reads and restores the values saved in the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was called. By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the shellcode address without the need to suspend and resume the thread, which this technique usually requires.

Transacted Hollowing² (Transacted Section/Doppelgänger + Hollowing)

The malware writes the final payload in the child process logagent.exe spawned by the third-stage shellcode in cmd.exe by creating a transacted section to be mapped in the remote process. Subsequently, the malware injects a fourth-stage shellcode into logagent.exe by loading and hollowing another instance of mshtml.dll into the target process. The injected fourth-stage shellcode performs the aforementioned hook bypass technique before executing the final payload previously allocated by the transacted section.

Transacted Section Hollowing

Similarly to process doppelgänging, the goal of a transacted section is to create a stealthy malicious section inside a remote process by overwriting the memory of the legitimate process with a transaction. In this sample, the third-stage shellcode executed inside cmd.exe places a malicious transacted section used to host the final payload in the target child process logagent.exe. The shellcode uses the following:

  • NtCreateTransactionto create a transaction
  • RtlSetCurrentTransaction and CreateFileW with a dummy file name to replace the documented  CreateFileTransactedW
  • Heaven’s Gate to call NtWriteFilein a loop, writing the final shellcode to the file in 1,024-byte chunks
  • Creation of a section backed by that file (Heaven’s Gate call NtCreateSection)
  • A rollback of the previously created section by using Heaven’s Gate to call  NtRollbackTransaction

Existing similar implementations have publicly been observed in this project that implements transaction hollowing.

Once the transacted section has been created, the shellcode generates a function stub at runtime to hide from static analysis. This stub contains a call to theCreateProcessW API to spawn a suspended child process logagent.exe (c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8) that was previously dropped by cmd.exe  under the %TEMP% folder.

After the target process has been created, the sample uses Heaven’s Gate to:

  • Read its PEBby calling NtReadVirtualMemory to retrieve its base address (0x400000)
  • Unmap the exe image in the logagent.exe process by using  NtUnMapViewofSection
  • Hollow the previously created transacted section inside the remote process by remapping the section at the same base address (0x400000) with NtMapViewofSection

Process Hollowing

After the third-stage shellcode within cmd.exe injects the final Cobalt Strike payload inside the transacted section of the logagent.exe process, it continues by process hollowing the target process to write the fourth shellcode stage ultimately used to execute the final payload (loaded in the transacted section) in the remote process. The third-stage shellcode maps the legitimate Windows DLL C:\Windows\SysWOW64\mshtml.dll in the target process before replacing its .text with the fourth-stage shellcode and executing it via NtResumeThread.

This additional fourth-stage shellcode written to logagent.exe performs similar evasion activities to the third-stage shellcode executed in cmd.exe (as indicated in the hook bypass section) before passing execution to the final payload.

Indicators of Compromise (IOCs)

File SHA256
streaming_client.exe 6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748

MITRE ATT&CK Framework

The following table maps reported HijackLoader tactics, techniques and procedures (TTPs) to the MITRE ATT&CK framework.

ID Technique Description
T1204.002 User Execution: Malicious File The sample is a backdoored version of streaming_client.exe, with the Entry Point redirected to a malicious stub.
T1027.007 Obfuscated Files or Information: Dynamic API Resolution HijackLoader and its stages hide some of the important imports from the IAT by dynamically retrieving kernel32 and ntdll API addresses. It does this by parsing PEB->PEB_LDR_DATA  and retrieving the function addresses.
T1016.001 System Network Configuration Discovery: Internet Connection Discovery This variant of HijackLoader connects to a remote server to check if the machine is connected to the internet by using the  WinHttp API (WinHttpOpenRequest and WinHttpSendRequest).
T1140 Deobfuscate/Decode Files or Information HijackLoader utilizes XOR mechanisms to decrypt the downloaded stage.
T1140 Deobfuscate/Decode Files or Information HijackLoader utilizes RtlDecompressBuffer to LZ decompress the downloaded stage.
T1027 Obfuscated Files or Information HijackLoader drops XOR encrypted files to the %APPDATA% subfolders to store the downloaded stages.
T1620 Reflective Code Loading


HijackLoader reflectively loads the downloaded shellcode in the running process by loading and stomping the mshtml.dll module using the LoadLibraryW and VirtualProtect APIs.
T1106 Native API


HijackLoader uses direct syscalls and the following APIs to perform bypasses and injections: WriteFileW, ReadFile, CreateFileW, LoadLibraryW, GetProcAddress, NtDelayExecution, RtlDecompressBuffer, CreateProcessW, GetModuleHandleW, CopyFileW, VirtualProtect, NtProtectVirtualMemory, NtWriteVirtualMemory, NtResumeThread, NtSuspendThread, NtGetContextThread, NtSetContextThread, NtCreateTransaction, RtlSetCurrentTransaction, NtRollbackTransaction, NtCreateSection, NtMapViewOfSection, NtUnMapViewOfSection, NtWriteFile, NtReadFile, NtCreateFile and CreatePipe.
T1562.001 Impair Defenses: Disable or Modify Tools HijackLoader and its stages use Heaven’s Gate and remap x64 ntdll to bypass user-space hooks.
T1055.012 Process Injection: Process Hollowing HijackLoader and its stages implement a process hollowing technique variation to inject in cmd.exe and logagent.exe.
T1055.013 Process Injection: Process Doppelgänging The HijackLoader shellcode implements a process doppelgänging technique variation (transacted section hollowing) to load the final stage in logagent.exe.
Continue Reading

Cyber Security

The Evolution of Zero Trust



Written by Dave Russell, Vice President, Enterprise Strategy at Veeam

Around 18 months ago, I was writing about the “endless journey” to Zero Trust. I used the word “endless” because Zero Trust is a mindset rather than a product or a destination – it’s a target to aim towards. Like many things in cyber, it’s a matter of constant evolution. You have to adapt to survive and thrive in your environment. Even the idea of Zero Trust has had to evolve with the times.

Changing with the times
A cat and mouse game, an arms race – call it what you want – security has always been about adapting and evolving to stay ahead of threats. Bad actors constantly experiment and move the needle to get ahead of their targets. This is exactly what has driven so much innovation across the industry since the first-ever cyber-attack took place. The security tools considered the benchmark, when I started my career 35 years ago, would be a paper shield against a modern cyber gang. It’s not just the tools that have had to evolve, but also the mindset – how we think about security and use the tools at our disposal has had to change.

Zero Trust is a prime example of this. Once, security was just around the perimeter, it was a moat around the castle, but once you were in, you were in. As more and more enterprises worldwide have adopted Zero Trust as a best practice, this has shifted. Security measures now need to be inside and outside – doors are locked, proof of identity is required, and people aren’t allowed access to parts of the castle if they don’t need to be there.

But the thing about evolution is that it never really stops.

Introducing Zero Trust Data Resilience
Even the most broadly used zero-trust models have a few fatal flaws in the modern environment. Namely, they lack any kind of guidance in pivotal areas like data backup and recovery. This gap is significant as recent attacks often attempt to target backup repositories. For example, according to the Veeam Ransomware Trends 2023 Report, ransomware attacks targeted backup repositories in at least 93% of attacks in 2022.

Data backup and recovery systems are critical parts of enterprise IT and must be considered as part of the security picture. They have read access to everything, they can write data into the production environment and contain full copies of the business’s mission-critical data. Simply put, following modern Zero Trust principles to the letter makes you fairly water-tight when it comes to ‘traditional’ security, but leaves a huge gap in the armour regarding backup and recovery.

But this is where we are. Zero Trust has become too limited in scope as threats have evolved, which is why the concept of ‘Zero Trust Data Resilience’ has been born. An evolution of Zero Trust, which essentially broadens the scope to ensure backup and recovery follow the same principles.

Bringing backup and recovery into the fold
The core concepts are the same. The principle of least privilege and assume breach mentality are still key. For example, backup management systems must be isolated on the network so that no unauthenticated users can access it. Likewise, the backup storage system itself must be isolated. Immutability is also key. Having backup data that cannot be changed or tampered with means if repositories are reached by attacks like ransomware, they cannot be affected by its malware.

Assuming a breach also means businesses shouldn’t implicitly ‘trust’ their backups after an attack. Having processes to properly validate the backup or ‘clean’ it before attempting system recovery is vital to ensure you aren’t simply restoring a still-compromised environment. The final layer of distrust is to have multiple copies of your backups – fail-safes in case one (or more) are compromised. The best practice is to have three copies of your backup, two stored on different media types, one stored onsite, and one kept offline. With these layers of resilience, you can start to consider your backup as Zero Trust.

Taking the first steps
With Zero Trust Data Resilience, just like Zero Trust, it’s a journey. You can’t implement it all at once. Instead, follow a maturity model where you gradually implement new practices and refine and evolve these over time. For example, if you don’t currently validate your backup data, start doing so manually and over time implement technology to automate and schedule routine validation processes.

The other key thing you need is buy-in – everyone in the organization must be on the journey together. Senior leadership is key to implementing any broad changes across an organisation, but so is educating across the business on new processes and their need. Finally, for Zero Trust Data Resilience especially, the security and wider IT operations teams must be aligned. Backup often falls under the responsibility of the latter, but as this becomes more and more crucial for security posture, the two need to work together to prevent security siloes or gaps.

The journey to Zero Trust is endless. So much so that the exact destination evolves. My advice to businesses is that while Rome wasn’t built in a day, it is better to start taking steps today, no matter how small, instead of postponing and being left behind.

Continue Reading
Advertisement CCW 2024

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.