Petya and WannaCry: Perimeter security is dead. Long live zero trust.

Both Petya and WannaCry are great demonstrations of how perimiter-based security is failing the industry and is better replaced with zero trust network security strategies like BeyondCorp.

tl; dr

Attacker gets into a single user's machine and then attacks the entire private network (inside the castle in the perimiter model) from there.

The Long Version

Petya takes this to another level by doing pass the hash attacks to automatically pivot through patched systems and compromise them as well. The only requirements are east-west networking (ability to connect to peer systems in the same network zone) and the hash of a user who is a local admin on the target system. Hardening your workstation wireless and wired networks to remove east-west networking is a good idea to limit this. Either way you should have a firewall that prevents direct traffic between workstations.

However, Petya will also go north-south (up to and back from server or other higher trust networks, to the workstations networks). Removing these paths is usually impractical and is definitely inpractical in our system because it would cease to function in Active Directory and group policy terms. That's where sandboxing (aka tiered administrative accounts) are important. A user or admin on the workstation network cannot even log in to a member server in the higher trust networks. A user or admin in the higher trust networks also cannot even log in to a member workstation in the workstation networks. Pass the hash pivoting is partly blocked in this manner, but east-west remains a risk. East-west pivoting within the trust networks is an additional challenge. Arguably east-west could also be removed from member server networks if you add a third tier of users and admins that can log into the domain controllers.

An additional defense on member servers (impractical on mobile workstations for obvious reasons) is forbidding cached credentials. If I understand it correctly, if the credentials aren't cached then there are no hashes to pass other than those of a directly compromised account for which the attacker already knows the plaintext password.


You should not rely on perimeter defenses to protect your networks. As much as possible you should consider all elements of your network insode and out to be compronised and move the defenses to the systems and services themselves.

This is the zero trust networking approach and BeyondCorp is a specific example of how to implement it.

To read more about BeyondCorp see Google's minisite here: