ZERO TRUST ARCHITECTURE – PROTECTION AGAINST CYBER

ATTACKS

Ph.D. Adam STOJAŁOWSKI1

Summary
The aim of the article is to characterise the Zero Trust concept in terms of protecting the
resources of the enterprise's local computer network against cyber attacks. In addition,
the purpose of the article is to present an analysis of the simulated cyber attack carried
out in terms of the requirements for protecting the ICT infrastructure within the
framework of the Zero Trust concept. The subject of the considerations is to present the
requirements of the Zero Trust concept in terms of current cyber threats and the
possibilities of defence against cyber attacks.

Keywords: cybersecurity, Zero Trust, vulnerability protection, cyber attack

Introduction
Currently, we are witnessing the intensive use of information technology,
shaping the image of the modern information society. There is also a dynamic
development of software, hardware and services, offering the user an increasing number
of functions, resources and computing power. All this means that the use of information
technology has become a permanent feature of everyday activity, both in private and
business-related activities. The increased demand for access to IT systems and services
also resulted in increased hacker activity, which in turn necessitated the implementation
of increasingly new security measures. The implementation of the aforementioned
safeguards requires administrators to become increasingly skilled in cybersecurity. This
is due to the need to implement advanced technology, the configuration and maintenance
of which requires specialized knowledge. This is where the first research problem
emerges and the attempt to answer the question. What is the current cyber threat landscape
in the context of international analysis? Referring to the awareness and ability to
counteract cyber threats, it is worth paying attention to another problem related to
obtaining qualified personnel who are able to implement and monitor security
mechanisms and respond to cyber threats. Challenges related to obtaining qualified staff
and evaluating the IT industry can be found in the Cybercrime Magazine article 2.

1
Lecturer at the Polish Naval Academy, 69 Śmidowicza Str., 81-127 Gdynia, Poland
ORCID 0000-0001-9503-8762
2
Morgan S., “Cybercrime Magazine”. Cybersecurity Jobs Report: 3.5 Million Openings In 2025,
Cybersecurity Ventures, 14 Apr. 2023,
[Link]
year%20period,to%20the%20MIT%20Technology%20Review. Accessed 21 Dec. 2023.
 There is a view in the cybersecurity community that if you want to
effectively secure a system, you should know how a hacker attacks the system. Following
this line of thinking, another research problem can be identified. Which local area network
security architecture will protect network resources against advanced malware?
Therefore, the subject of this article's research is the security of enterprise's computer
network resources against cyber attacks in the context of the Zero Trust concept.
Theoretical methods, which included synthesis, comparison, inference by analogy and
explanation, based mainly on an analysis of the literature on the subject of the research,
were helpful to achieve the research objective and answer the research problems. The
article also uses empirical research, applying a quantitative method to assess the
effectiveness of a simulated cyber attack carried out in a laboratory environment.

The cyber threat landscape

According to the ENISA Threat Landscape report3 eight prime threat
groups was highlighted, where the first threat is ransomware and malware. One may also
notice social engineering, that is related to human behaviour, which involves exposing
the user to the disclosure of information even the risk of losing login credentials. The last
one is supply chain attack targets the relationship between organisations and their
suppliers. In this kind of cyber attack, both the supplier and the customer are targeted.

Fig. 1. ENISA Threat Landscape 2022 – Prime threats

[Link] p. 8, Accessed 23 Nov.
2023.

3
ENISA Threat landscape 2023, July 2022 to June 2023, 19 Oct. 2023,
[Link] Accessed 23 Nov. 2023.
 According to the Mandiant Special Report4, the main industry that was
attacked is government. This is almost a quarter of all incidents. In accordance with
Mandiant, this is related to attacks on Ukrainian government infrastructure. In addition
Mandiant observed business/professional services, financial, high tech and healthcare
industries to be favored by adversaries. Exploit and phishing are the most leveraged initial
infection vector used by adversaries. Stolen credentials and prior compromise systems
are also highlighted as the initial vector.

Fig. 2. Global industries targeted 2022 and initial infection vector, by Mandiant Special Report
[Link] pp. 22-23,
Accessed 23 Nov. 2023

Unit 42 Palo Alto Networks in its report5 identified seven industry groups
that were exposed to cyberattacks. The sector most exposed to threats was finance, as
well as professional and legal services, manufacturing and healthcare. Ransomware and
Business Email Compromise were the top attacks over the last year, accounting for
approximately 70 percent of all incident cases. In turn, suspected means of ransomware
initial access is mostly software vulnerabilities. According to the Unit 42 report the top
two access vectors for threat actors were phishing and exploitation of known software
vulnerabilities, both reaching 68 percent. Referring to the information about
vulnerabilities, it can be noted that the proxyshell vulnerability was predominantly

4
Mandiant M-Trends 2023, Mandiant Special Report, 27 Jun 2023,
[Link] Accessed 23 Nov.
2023.
5
Incident Response Report 2022, Unit 42 Palo Alto Networks, 26 Jul. 2022,
[Link] Accessed 23
Nov. 2023.
exploited. ProxyShell is an attack chain that exploits vulnerabilities mainly in Microsoft
Exchange Servers.

Fig. 3. Top affected industries and incident cases in 2022, by Unit 42 Palo Alto Networks Incident
Response Report
[Link] pp.
8-14, Accessed 23 Nov. 2023.

In the next few years we will see increasing integration of components and
services combined into new products, new software and its dependencies. Adversaries
may want to manipulate these software dependencies by adding piece of malicious code
like backdoors or other malware like Trojans. These assumptions are confirmed by
Foresight 2030 Threats published by ENISA6, ranking threats in the software supply chain
at the top of the list.

Zero Trust architecture

The following part of this article presents the concept of the Zero Trust
architecture by referring to available publications, principles of architecture
implementation, as well as outlines the results of a simulated cyber attack carried out in
a laboratory environment.

Needs to implement Zero Trust architecture

Many enterprises still provide LAN security when accessing a public
network using a perimeter-based firewall. For this purpose, they use older generation
firewalls that operate mainly at the network (L3) and transport (L4) layers of the TCP/IP
model. This type of firewall provides protection for inbound and outbound traffic mainly
by inspecting both the IP packet header and TCP and UDP packets. Protection of LAN
resources by packet inspection at the L3 and L4 layer is currently insufficient. Advanced
malware often uses a technique where malicious code is placed inside the packet's

6
ENISA Foresight 2030 Threats, 13 Sep. 2023, [Link]
threats, Accessed 23 Nov. 2023.
contents, which cannot be detected by analysing only the contents of the packet header.
Even if a network administrator implements demilitarized zone (DMZ) and separates key
servers from the LAN, a cyber attack can still occur, because there is no support for full
network traffic encryption and visibility.

Perimeter-based
Source IP / Source port
Destination IP /Destination port
LAN

DMZ

PUBLIC NETWORK

ENTERPRISE NETWORK

Fig. 4. Perimeter-based firewall protection [own elaboration]

The concept of the Zero Trust model assumes the implementation of a

number of security measures to protect and monitor the traffic of each element of the
enterprise's computer network. The intension is to provide comprehensive protection for
the data and services processed by the enterprise, regardless of the location of its physical
assets. One of the main physical devices implementing comprehensive protection is the
next generation firewall (NGFW), which, unlike the earlier technology, operates in the
full range of TCP/IP model, more precisely in all its layers. In addition, NGFWs provide
functions like user identification, deep-packet inspection, built-in mechanism for
intrusion prevention (IPS), advanced malware detection, application identification and
control, URL filtering, and provide packet transmission visibility through inspection of
encrypted traffic.
More information about NGFW can be found on the websites of companies
such as Check Point7, Fortinet8, and Palo Alto9.

7
What is a Next Generation Firewall (NGFW)? Check Point Software Technologies Ltd.,
[Link]
Accessed 28 Dec. 2023.
8 What Is A Firewall? Fortinet, Inc., [Link] Accessed
28 Dec. 2023.
9 Next-Generation Firewall, Palo Alto Networks, [Link]
security/next-generation-firewall, Accessed 28 Dec. 2023.
 Zero Trust
Source IP / Source port
Destination IP /Destination port
LAN Application identification
Content filtering
User identification
URL Filtering
Traffic encryption
DMZ Monitoring and logging

PUBLIC NETWORK

ENTERPRISE NETWORK

Fig. 5. Next generation firewall protection [own elaboration]

Zero Trust architecture in publications

The need to describe the Zero Trust concept resulted in the development
and release the Special Publication 800-20710 by the National Institute of Standards and
Technology in August 2020. The cited publication was subsequently used to develop a
series of publications by the U.S. Department of Defense defining and specifying the
scope and roadmap for the implementation of Zero Trust in the Department. These
documents include:
- DoD Zero Trust Strategy11, published in October 2022;
- Department of Defense (DoD) Zero Trust Reference Architecture Version 2.012,
published in July 2022;
- DoD Zero Trust Capability Execution Roadmap (COA 1) 13, published in January
2023.
The last cited document assumes that work on the implementation of Zero
Trust began in 2023 and will be completed in 2027.
As can be found in NIST publication SP 800-207 Zero Trust (ZT), the
approach is primarily focused on data and service protection including enterprise assets
and subjects. Enterprise assets groups include items such as devices, physical and
virtualized infrastructure components, and applications. The group of subjects includes
end users and any other process that requests access to information resources. Meanwhile,
Zero Trust architecture (ZTA) is a security plan based on the principles of the Zero Trust
concept, which was designed to protect the data processed by an enterprise, regardless of

10
NIST Special Publication 800-207, Zero Trust Architecture, Aug. 2020,
[Link] Accessed 23 Nov. 2023.
11
DoD Zero Trust Strategy, 07 Nov. 2022, US Department of Defense, [Link]
Accessed 23 Nov. 2023.
12
Department of Defense (DoD), Zero Trust Reference Architecture, Version 2.0, US Department of
Defense, Jul. 2022, [Link] Accessed 23 Nov. 2023.
13
DoD Zero Trust Capability Execution Roadmap (COA 1), US Department of Defense, 06 Jan. 2023,
[Link] Accessed 23 Nov. 2023.
its location, including protection against lateral movement. In other words, it's a way of
thinking "never trust, always verify".
In accordance with the DoD Zero Trust Strategy publication, the Zero Trust
model should be perceived in terms of pillars that refer to seven areas related to the
security of processed information. These include the security of users, devices,
applications, computer network, as well as the ability to automate, visualise and analyse
processed data.

Fig. 6. DoD Zero Trust Pillars

[Link] p. 10, Accessed 23
Nov. 2023.

Implementation of Zero Trust architecture

In most cases, when considering the implementation of Zero Trust
architecture in an enterprise, a transition period should be taken into account during which
the existing elements that operates within the perimeter-based architecture will be
gradually replaced. This transition period is called a hybrid zero-trust/perimeter-based
mode.
According to the Palo Alto Cybersecurity Survival Guide14, when deciding
to implement the Zero Trust model, an enterprise should adopt key principles that include:
- Ensure that all resources are accessed securely, regardless of location;
- Adopt a least privilege strategy and strictly enforce access control;
- Inspect and log all traffic.
In Palo Alto Networks' approach, Zero Trust principles refer to the need to
ensure control over the protective surface in which users are given access only to
necessary assets. According to the cited Palo Alto Cybersecurity Survival Guide, a protect
surface consists of the most critical and valuable data, assets, applications, and services

14
Miller L. C., Cybersecurity survival guide. Fundamental Principles and Best Practices. Sixth Edition,
Palo Alto Networks, Inc., Apr. 2022, pp. 64-66.
that are processed in the computer network. The task of the next-generation firewall is to
control access to the protective surface by providing access control only for permitted
network traffic. A least privilege strategy as well as resource access control should be
implemented. The aim is to limit access through unauthorised transmission, as well as the
possibility of spreading malware. Another important aspect that can be found in the cited
publication is ensuring secure access to resources, regardless of location. This is achieved
by implementing trust zones as well as transmission encryption. Finally, all network
traffic should be monitored in real time and collected for a defined period of time. The
aim is to ensure that enterprise assets are protected against potential cyber threats.

Fig. 7. Zero Trust protect surface, by Palo Alto Networks

Miller L. C., Cybersecurity survival guide. Fundamental Principles and Best Practices. Sixth
Edition, Palo Alto Networks, Inc., Apr. 2022, p. 66.

Similarly, as can be found in the Microsoft publication15, the Zero Trust

security principle is identity, enforcing the need for strong authorization regardless of
whether users use a personal or corporate computer. Microsoft's Zero Trust architecture
is presented as a comprehensive strategy in which integration of all its elements is
required. A condition was adopted enforcing access to assets with the principle of least-
privilege to all areas covered by the architecture, i.e. identities, endpoints, network,
applications, on-premises and cloud infrastructure as well as data resources. Each request

15
Evolving Zero Trust. How real-world deployments and attacks are shaping the future of Zero Trust
strategies, Microsoft Corporation, Nov. 2021, [Link]
trust, Accessed 23 Nov. 2023.
for access to data must be preceded by an authentication and authorization process as well
as transmission encryption. In addition, a process of filtering and segmentation is carried
out before data is accessed, regardless of whether it is traffic from a private or public
network. Every request for access to protected data is analysed, providing automatic
protection against threats in real time.

Fig. 8. Zero Trust architecture diagram, by Microsoft Corporation

[Link] Accessed 28 Dec. 2023.

Simulated cyber attack

For the purposes of this article, a simulated cyber attack was carried out in
a laboratory environment. The research was aimed at determining the effectiveness of
protection against a cyber attack, taking into account selected mechanisms of the Zero
Trust architecture

Assumptions and preparations for a cyber attack

The laboratory environment included three workstations and a next
generation firewall, all represented in virtual technology based on the VMware
Workstation Pro hypervisor. The main element ensuring security and separating packet
transmission was the Palo Alto firewall, which was managed from a dedicated virtual
machine with CentOS system, version 9. The simulated cyber attack was carried out from
a virtual machine with Kali Linux system, release 2023.3. The target of the attack was a
virtual machine with the Microsoft Windows 10 Education operating system,
version1909. The CVE-2020-0796 vulnerability is known for this version of the system,
a description of which can also be found on the MITRE Corporation website16. On the

16
CVE-2020-0796, MITRE Corporation CVE Program, [Link]
0796, Accessed 21 Dec. 2023.
Internet, can also be found sources presenting the characteristics of the attack on systems
with the mentioned vulnerability17. However, and it should be emphasised that the aim of
the research was not to analyse the attack itself using this vulnerability, but how to select
protection mechanisms against a cyber attack within the Zero-Trust architecture.
Host: Kali Linux Host: Windows 10
IP: [Link]/24 IP: [Link]/24

Firewall: PaloAlto

DMZ: Outside DMZ: Inside

Gate: [Link]/24 Gate: [Link]/24

DMZ: Management
Gate: [Link]/24

Host: CentOS
IP: [Link]/24
Fig. 9. Laboratory environment organisation diagram [own elaboration]

The simulated cyber attack was carried out several times, each time
implementing additional control mechanism. In order to confirm the effectiveness of the
research, the simulated attack was repeated twice for each phase.
The phases of the cyber attack included:
- Phase 1: perimeter-based firewall, protection only at L3/L4 layers, filtering IP
addresses and TCP/445 packets.
- Phase 2: NGFW, L7 layer protection, filtering IP addresses and applications „ms-ds-
smb”.
- Phase 3: NGFW, L7 layer protection, filtering IP addresses and applications „ms-ds-
smb”, implemented function „vulnerability protection”.
The main part of the cyber attack was preceded by a reconnaissance stage
aimed at gathering information about the system under investigation. At this point, it can
be added that reconnaissance is the first and fundamental stage of penetration testing,
during which, among other things, the enumeration of detected IP addresses, open ports
and working services is performed. Nmap (Network Mapper) software was used to
conduct the reconnaissance, using the "sudo nmap -O -sV [Link]" command.

17
Faturrohman M., Salsabila A., Mardiah Z., Aqwam Rosadi Kardian, Attack in to The Server Message
Block (CVE-2020-0796) Vulnerabilities in Windows 10 using Metasploit Framework, JEEMECS, Vol 6,
No 1, Feb. 2023, [Link] Accessed 21 Dec. 2023.
Fig. 10. Reconnaissance - results of a system scan [own elaboration]

Also, before starting the simulated cyber attack, it was required to

download components and prepare the execution environment. For this purpose, exploit
files targeting the CVE-2020-0796 vulnerability were downloaded.

Fig. 11. Component preparation [own elaboration]

The main phase of the cyber attack was also preceded by the preparation
and start of the Metasploit Framework environment.

Fig. 12. Metasploit Framework preparation [own elaboration]

The final steps in preparing the cyber attack were to find the vulnerability,
use and configure the exploit. The following commands were used in order of application:
„search cve_2020_0796
use exploit/windows/smb/cve_2020_0796_smbghost
set RHOSTS [Link]
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set defangedmode false”
Fig. 13. Exploit preparation [own elaboration]

The attack on the system was carried out by executing the "exploit"
command. At this point, it can be added that during the cyber attack, the attacked system
periodically showed operational instability resulting in the so-called blue screen.

Fig. 14. Execution of a cyber attack [own elaboration]

Cyber attack – Phase 1 and Phase 2

The research conducted in both Phase 1 and Phase 2 focused on configuring
and observing the firewall in terms of blocking transmission based on the characteristics
of the application.
 Host: Kali Linux Host: Windows 10
IP: [Link]/24 IP: [Link]/24

ALLOW ALLOW
Request:
Dest IP: [Link] FW rule:
Source IP: [Link] Dest IP: [Link]/24
Dest TCP: 445 Source IP: any
Source TCP: 4444 Allow: TCP/445 (phase 1)
Allow App: ms-ds-smb (phase 2)
Fig. 15. Firewall configuration – phase 1 and phase 2 [own elaboration]

As a result of the cyber attack carried out in Phase 1, it was experimentally

found that the firewall allowing network traffic for a specific IP addresses and TCP
protocol for port 445, did not block transmission between hosts. This firewall
configuration is typical of older generation firewalls operating only up to the L3/L4 layer.
Similarly, in Phase 2, during which a new generation firewall was used, it
was experimentally found that despite the use of application identification (in the case in
question - Server Message Block, MS-SMB), the firewall also did not detect the threat
and allowed the transmission of packets between hosts. The above proves that despite the
use of a next generation firewall, based only on application identification, there is still the
likelihood of a successful cyber attack.

Fig. 16. Firewall - analysis of unblocked traffic [own elaboration]

Cyber attack – Phase 3

The research conducted in Phase 3 concerned the configuration and
observation of the firewall in terms of blocking transmission based on the characteristics
of the application and the possibility of exploiting its vulnerabilities.
 Host: Kali Linux Host: Windows 10
IP: [Link]/24 IP: [Link]/24

BLOCK
Request: FW rule:
Dest IP: [Link] Dest IP: [Link]/24
Source IP: [Link] Source IP: any
Dest TCP: 445 Allow App: ms-ds-smb
Source TCP: 4444 Profile: Vulnerability protection
Fig. 17. Firewall configuration – phase 3 [own elaboration]

During the execution of the Phase 3 cyber attack, it was experimentally

found that the attack attempt was successfully blocked by the firewall. A factor in the
blocked transmission was the vulnerability exploitation protection mechanism for known
threats.

Fig. 18. Vulnerability protection profile [own elaboration]

Each time an attempt to carry out a cyber attack resulted in failure.

Fig. 19. Failure to carry out a cyber attack [own elaboration]

Analysis of the network traffic showed that the use of additional protection
resulted in a blocked transmission. The above resulted in effective protection for a system
whose known vulnerability could be exploited to launch a cyber attack.
Fig. 20. Firewall - analysis of blocked traffic [own elaboration]

Concluding the analysis of the simulated cyber attack, a summary of the

results of the empirical research is presented below.

Phase of Attack Result

cyber attack attempt
number
Cyber attack carried out successfully. System fault - blue
1
screen. The firewall did not detect the attack.
Phase 1
Cyber attack carried out successfully. The firewall did not
2
detect the attack.
Cyber attack carried out successfully. System fault - blue
1
screen. The firewall did not detect the attack.
Phase 2
Cyber attack carried out successfully. The firewall did not
2
detect the attack.
Cyber attack carried out unsuccessfully. The firewall
1
detected the attack and blocked the transmission.
Phase 3
Cyber attack carried out unsuccessfully. The firewall
2
detected the attack and blocked the transmission.
Tab 1. The result of a simulated cyber attack.

Conclusions
In the presented article, based on a literature analysis, the Zero Trust
concept is characterised in terms of ensuring the protection of the enterprise's local area
network resources against cyber attacks. In addition, the article presents the results of a
simulated cyber attack on the ICT infrastructure protected by a next generation firewall
under the Zero Trust concept. The simulated attack was carried out in order to evaluate
the adopted security architecture of the local computer network in terms of its ability to
protect resources against a cyber attack. At this point, it is worth paying attention to the
fact that a cyber attack can be carried out not only from the attacker's host side but also
as a result of running malicious code in the protected system. This is advanced malware
that can enter the system in various ways, for example following phishing. More
information about techniques for hiding malicious code can be found in the article 18.
Developing cyber attack simulation scenarios can also be a reason to conduct further
research work.
To sum up, it should be emphasized that in order to protect the enterprise's
computer network resources, a number of security mechanisms described in this article
should be implemented, with an emphasis on the elements that constitute the Zero Trust
architecture.

Bibliography

1. CVE-2020-0796, MITRE Corporation CVE Program,

[Link]
2. Department of Defense (DoD), Zero Trust Reference Architecture, Version 2.0,
US Department of Defense, Jul. 2022, [Link]
3. DoD Zero Trust Capability Execution Roadmap (COA 1), US Department of
Defense, 06 Jan. 2023, [Link]
4. DoD Zero Trust Strategy, 07 Nov. 2022, US Department of Defense,
[Link]
5. ENISA Foresight 2030 Threats, 13 Sep. 2023,
[Link]
6. ENISA Threat landscape 2023, July 2022 to June 2023, 19 Oct. 2023,
[Link]
7. Evolving Zero Trust. How real-world deployments and attacks are shaping the
future of Zero Trust strategies, Microsoft Corporation, Nov. 2021,
[Link]
8. Faturrohman M., Salsabila A., Mardiah Z., Aqwam Rosadi Kardian, Attack in
to The Server Message Block (CVE-2020-0796) Vulnerabilities in Windows 10
using Metasploit Framework, JEEMECS, Vol 6, No 1, Feb. 2023,
[Link]
9. Incident Response Report 2022, Unit 42 Palo Alto Networks, 26 Jul. 2022,
[Link]
response-report.
10. Mandiant M-Trends 2023, Mandiant Special Report, 27 Jun 2023,
[Link]
today.
11. Miller L. C., Cybersecurity survival guide. Fundamental Principles and Best

18
Stojałowski A., “Cybersecurity & Cybercrime”, The impact of malware on the Internet, Maritime
Cybersecurity Center, Polish Naval Academy, Vol. 1, No. 2, 02 Mar 2023,
[Link] Accessed 21 Dec. 2023.
 Practices. Sixth Edition, Palo Alto Networks, Inc., Apr. 2022.
12. Morgan S., “Cybercrime Magazine”. Cybersecurity Jobs Report: 3.5 Million
Openings In 2025, Cybersecurity Ventures, 14 Apr. 2023,
[Link]
year%20period,to%20the%20MIT%20Technology%20Review.
13. Next-Generation Firewall, Palo Alto Networks,
[Link]
14. NIST Special Publication 800-207, Zero Trust Architecture, Aug. 2020,
[Link]
15. Stojałowski A., “Cybersecurity & Cybercrime”, The impact of malware on the
Internet, Maritime Cybersecurity Center, Polish Naval Academy, Vol. 1, No. 2,
02 Mar 2023,
[Link]
16. What Is A Firewall? Fortinet, Inc.,
[Link]
17. What is a Next Generation Firewall (NGFW)? Check Point Software
Technologies Ltd., [Link]
security/what-is-next-generation-firewall-ngfw.