DFIR in Zero-Trust Environments: Utilizing AXIOM Cyber for Remote Collection with Zscaler
Organizations continue to embrace the zero-trust model to address security challenges brought about by distributed work environments. This means that every instance of communication must be validated upon request, and then routed accordingly.
While virtual private networks (VPNs) can provide the routing, they continue to use the gated security model. In response, Zscaler has developed a technology branded Zscaler Private Access (ZPA) to provide VPN-type outcomes while adding the benefits of cloud scaling, routing controls, and zero trust security.
Zscaler Private Access Overview
ZPA is a cloud technology that leverages an application called the Zscaler Client Connector (formerly “Z app”) running on a client machine to observe and route internet traffic. The controls are like that of a firewall (allowing and blocking certain traffic) and a proxy (taking requests and routing traffic accordingly).
When the local Zscaler Client Connector gets an outbound request to an internal corporate resource (such as a network repository), the connector will perform a few functions: It will authenticate to the Zscaler cloud and validate the request against the assigned user profile. If approved, the traffic will then be routed from the cloud to the target destination, where system, application, and file level permissions are applied.
Using Magnet AXIOM Cyber in Zero-Trust Environments
While zero-trust environments have strengthened the security perimeter of organizations—especially from external bad actors—zero-trust environments are not bullet-proof. Digital Forensics and Incident Response (DFIR) tools such as Magnet AXIOM Cyber are needed to provide an even higher level of security—especially against Insider Threats.
Organizations can utilize the following practices for successful network acquisition of endpoints with AXIOM Cyber, which in Magnet’s testing have given us success when working within ZPA environments:
- Validate bi-directional network routing before troubleshooting the agent itself (can the endpoint ping the client and vice versa?).
- It can be helpful to work with network admins who can watch the ZPA logs to troubleshoot traffic.
- Try to avoid commonly used ports.
- Validate that the ZPA is configured to approve traffic from the node to the AXIOM Cyber client machine. This may require whitelisting the FQDN or IP of the AXIOM Cyber client machine.
- Many environments that use ZPA also use FQDN to manage access permissions. If this restriction is in place, build the Cyber agent using FQDN for the AXIOM Cyber client.
- The Zscaler Client Connector should recognize the traffic and route automatically, so you should not have to configure the agent with a proxy address.
Utilizing the tips listed above, you should successfully complete remote acquisitions within your zero-trust environments with AXIOM Cyber. As always, don’t hesitate in reaching out to our world class support team at firstname.lastname@example.org If you haven’t tried AXIOM Cyber yet, request a free trial here.