Networks Generation

Insider Information And The Art Of Zero Attack Surfaces

Steve Broadhead
Steve Broadhead
Broadband Testing

Thoroughly enjoyed a recent conversation with Albert Estevez Polo, Field CTO EMEA, Zero Networks, where we discussed what IS really required for cyber security in 2026 onwards, on the back of some research recently released by them.

The primary message is simple: it’s how you maintain company operations when – not if – attacked and what should become mandatory requirements, given what noises in this direction are coming from the likes of the CSBR (Cyber Security and Business Resilience) body, the cyber security insurance companies and the government bodies.

Albert zeroed in on how so much damage is done from within and the importance of limiting lateral movement: containing threats at their point of entry and preventing them from spreading across the environment. This is something dear to my heart, having spent several weeks last year testing with Goldilock, whose technology enables you to create a remote physical disconnection in milliseconds, thereby creating instant damage limitation or, more fundamentally, only bringing resource online when it is needed – see previous blog:

https://www.computerweekly.com/blog/Networks-Generation/Securing-Your-Crown-Jewels

As we both agreed, it’s not a case of “reducing your attack surface”, it’s about starting off with absolutely no surface whatsoever to attack in the first place, then ensuring that everything is tracked from within and being able to trigger additional defence mechanisms as required, as ports and services are opened on demand. As Albert noted: “If you don’t know your blast radius, you don’t have a cyber resilience plan.”

I’ve said for years that, in order for an infrastructure to be secure, IT effectively needs to recreate the simplicity of the mainframe, without the inherent limitations of that system, or the vendor lock-in. Instead, the IT world has created absolute infrastructure monsters, unmanageable, invisible and impossible to defend against cyber attacks. Again, we were agreed on this topic of simplicity being the solution, making everything visible and therefore not only more defendable in the first place, but also still operational in the event of the inevitable breach. Another point we agreed on is that AI-enabled attacks are only going to accelerate the scale of the issue, talking of automated elephants in the room… It’s amazing how many companies talk about the benefits of AI, without adding that it is the finest cyber attack weaponry ever invented ☹.

Back to the research itself – key technical findings from the report include:

  • Most threats sneak by defences, appearing like legitimate activities. The most dangerous activity looks legitimate and blends into routine admin behaviour.
  • Attackers do not need many techniques to be effective. 71% of observed threat activity uses ubiquitous always-on management protocols like SMB, RDP, WinRM and RPC. These are standard Microsoft management protocols found in virtually every enterprise environment. These protocols are foundational to Windows, Active Directory and IT operations. They are required for business continuity and cannot simply be disabled or blocked.
  • Low-frequency signals often indicate high-impact risk. Certain systems appeared less frequently in detections, including: Microsoft SQL Server (~3% of detections, ranked 9th); System Center Configuration Manager (2%, ranked 10th); Active Directory Web Services (2%, ranked 11th). While these systems generate fewer alerts, access to them signals potential control over core databases, endpoint management or identity infrastructure.
  • Less about attacker skill; more about organizations engineering their own failure points. A single compromised system can reach a median of 85% of internal systems in one hop, and effectively 100% in the second hop. With average compromise within 48 minutes, the time between entry and disruption leaves little to no time to react and take effective countermeasures.

If you want to read more – and why not? – a more detailed analysis of the  research is available here:

https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius

Meantime, stay warm, stay safe, stay visible, think laterally and only enable what you need, when you need it.