The modern cybersecurity landscape is constantly evolving, and the blurring of network permeters has given rise to increased interest in "Zero Trust". Spurred forward by President Biden's 2021 Executive Order citing the need for US federal organizations to move towards Zero Trust Architecture, Zero Trust has become the latest "gold standard" of cybersecurity frameworks.
While dozens of definitions of Zero Trust have been whizzing around the cybersecurity world, 3 overarching principles or mindsets form a common ground:
Never trust, always verify
Implement least privilege
Assume breach
In the Zero Trust Security model, assuming breach refers to a security mindset that always behaves as if the system is compromised. This encourages security experts to take necessary precautions to limit damage and re-secure systems proactively. Unfortunately, during implementation, that principle of "assuming breach" is often overshadowed by the first two.
Think you’ve implemented "Assume Breach" perfectly?
Here’s a detailed checklist to help you evaluate whether your security architecture truly lives up to this Zero Trust principle.
Microsegmentation — Are You Creating Security Zones?
What It Entails: Microsegmentation means dividing your network into smaller, secure segments and monitoring all the traffic that passes between them. Even if attackers penetrate one area of the network, they won’t be able to easily move laterally to other parts.
Questions to Ask:
Have you divided your network into isolated security zones?
Can you monitor and control traffic between different workloads and parts of the network?
Checklist:
🔲 Network is divided into multiple segments (microzones).
🔲 Each zone has its own access controls and monitoring.
🔲 Traffic between zones requires explicit verification and encryption.
🔲 Any abnormal activity across zones is flagged immediately.
Least Privilege Access — Are Users Only Getting What They Need?
What It Entails: Assume Breach means understanding that an insider’s credentials may be compromised. Users (including employees, contractors, and automated systems) should have the least possible privileges needed to execute their tasks. Access should always be granted on a "need-to-know" basis, with constant reevaluation.
Questions to Ask:
Are users given minimal access needed for their jobs?
Is privileged access tightly controlled and monitored?
Checklist:
🔲 User roles are well-defined with minimal access rights.
🔲 Admin privileges are limited and restricted to specific systems.
🔲 Elevated privileges are reviewed and adjusted frequently.
🔲 Just-in-time (JIT) access is in place (users only get permissions when needed, and they expire after use).
Continuous Monitoring — Are You Watching EVERYTHING in Real Time?
What It Entails: You must be constantly watching your entire network and all endpoints (devices) for any suspicious or anomalous behavior. Real-time insights help you react immediately to potential breaches and contain them before significant damage occurs.
Questions to Ask:
Do you monitor all the traffic inside your network and not just at the perimeter?
Are behavioral baselines established to detect unusual activities?
Checklist:
🔲 Every endpoint (desktop, mobile, IoT device, etc.) is continuously monitored.
🔲 Real-time alerts notify security teams about unusual behavior.
🔲 There’s a centralized dashboard for tracking and correlating incidents.
🔲 Incident response processes are triggered immediately upon suspicious activity.
Multi-Factor Authentication (MFA) Everywhere — Do You Implement MFA for All Critical Access Points?
What It Entails: It’s no longer enough to simply rely on passwords. Multi-Factor Authentication (MFA) ensures that even if credentials are compromised, attackers still need to pass additional authentication barriers before gaining access to critical systems.
Questions to Ask:
Is MFA enforced for all users accessing sensitive data or systems?
Do you apply MFA both for internal systems and external cloud services?
Checklist:
🔲 Multi-Factor Authentication is required for all critical systems.
🔲 MFA is enforced for employees, third-party contractors, and vendors.
🔲 MFA is in place for access to cloud services (SaaS solutions), VPNs, and internal applications.
Assume Phishing Success — Have You Accounted for Credential Theft?
What It Entails: Phishing attacks are a common entry point for attackers. Assume Breach requires preemptively planning for phishing success. This means limiting the damage attackers can do with compromised credentials.
Questions to Ask:
Are phishing simulations conducted regularly?
Do employees and users understand how to report phishing attempts?
Checklist:
🔲 Phishing simulations are conducted regularly and tracked.
🔲 Steps for users to report phishing incidents are clear and easy to follow.
🔲 If credentials are compromised, account access is immediately revoked.
🔲 Policies ensure that exposed passwords cannot grant significant privileges or allow lateral movement in the network.
Endpoint Protection — Are You Securing Every Device?
What It Entails: With the prevalence of remote work and bring-your-own-device (BYOD) culture, attackers often target laptops, smartphones, or other endpoints. Treat every endpoint as a potential entry point, and make sure they are secured and monitored at all times.
Questions to Ask:
Are all devices, including personal and mobile devices, protected?
Are there regular security updates and patches for all endpoints?
Checklist:
🔲 All endpoints have security software installed (antivirus, anti-malware).
🔲 Endpoint Detection and Response (EDR) tools are installed for detailed monitoring.
🔲 Only trusted, up-to-date devices are allowed to access critical systems.
🔲 Remote devices are routinely audited for security compliance.
Threat Hunting — Are You Proactively Looking for Breaches?
What It Entails: Don’t wait for a breach to happen — Assume Breach means actively searching for signs of attacker activity, even if no alert has been triggered. Threat hunting involves looking through logs, activity patterns, and network data, trying to find subtle clues of compromise.
Questions to Ask:
Is there a dedicated team that proactively hunts for threats?
Are tools in place to aid threat hunting with automation and intelligent data analysis?
Checklist:
🔲 Threat hunters regularly search for hidden or subtle threats.
🔲 Behavioral analysis tools or AI-assisted platforms help with proactive investigations.
🔲 Threat hunting sessions include cloud-based services alongside on-premise infrastructure.
🔲 Threat detection findings lead to adaptations in your security policy and defenses.
Incident Response — Do You Have a Plan Ready?
What It Entails: Assume Breach requires action when (not if) a breach happens. A strong incident response plan should guide your team through every stage of identifying, containing, remediating, and learning from breaches.
Questions to Ask:
Do you have an incident response plan in place, and is the team fully trained on it?
Are there post-incident reviews to refine your response strategies?
Checklist:
🔲 Incident response plans are written, trained for, and regularly updated.
🔲 Incident response team (IRT) drills are performed to simulate breaches.
🔲 Incident investigation processes are immediately activated once an alert is triggered.
🔲 After-action reports (post-mortems) are written, and lessons are applied to the entire security process.
Encrypt Everything — Is Your Data Useless to Attackers?
What It Entails: Encryption is critical to Assume Breach because if an attacker gains access to your network or data, encryption ensures that the stolen information is unreadable. Both data at rest and data in transit should be encrypted to minimize losses during a breach.
Questions to Ask:
Is sensitive data encrypted both at rest and in transit?
Do you apply encryption to backups and cloud services?
Checklist:
🔲 Entire databases and sensitive file systems are encrypted.
🔲 Encryption standards are followed for both internal communications (network traffic) and files.
🔲 Third-party and cloud services storage are required to have encryption.
🔲 Backups and archived data are securely encrypted to prevent data theft.
Identity Verification — Do You Regularly Verify Both Users and Devices?
What It Entails: In a Zero Trust, Assume Breach world, identity validation is key. It’s not enough to grant access once and trust that identity forever. You must continuously verify user and device identities and assume that credentials may have been compromised.
Questions to Ask:
Are identity verification protocols in place for both users and devices?
Are there methods to detect compromised identities and restrict access?
Checklist:
🔲 Identity verification systems routinely re-validate users based on behavior and risk.
🔲 Devices are authenticated before accessing sensitive information.
🔲 Tools for risk-based identity verification (such as behavioral analytics or AI-driven solutions) are in place.
🔲 Compromised identities are instantly revoked and quarantined.
Are You Really Assuming Breach?
To truly assume breach, every access point, device, user, and connection must be treated as if it has already been compromised. Through regular monitoring, proactive threat hunting, secure access measures, and contingency plans, you reduce the potential damage and safeguard your critical infrastructure.
If you've checked off most of these items in your Zero Trust architecture, you’re well on your way to truly "Assuming Breach" and fortifying your environment. If not—consider what's missing and start closing those gaps.
🔐 Trust nothing. Verify everything.
UMV's Real-Time Monitoring Solutions
UMV Inc.'s security solutions, like WSS and WARSS, can help you strengthen your "Assume Breach" principles by offering continuous real-time monitoring of unauthorized changes to web server files. Find out more about how they work here:
Web Server Safeguard (WSS): https://umvwebsecurity.com/en/wss
Website Attack Restoration Security Solution (WARSS): https://umvwebsecurity.com/en/warss
Whether you've already implemented Zero Trust at your organization, or are now looking to lay the groundwork, careful planning and reviews are key. Resources like these are a great place to start:
CISA Zero Trust Maturity Model
NIST Zero Trust Architecture (Special Publication 800-207)
That's a very interesting story. 😏