Failure Pattern
Encrypted tunnels connect workloads but do not validate the identity of the workloads themselves. Attackers exploit tunnels to impersonate trusted systems.
What We See in the Field
A compromised workload creates a secure tunnel to a downstream system. Because encrypted tunnels are authenticated using inherited credentials, tools believe it is legitimate.
Underlying Causes
Tunnel-based trust
Certificates inherited or cloned
No per-session workload identity
Static trust boundaries
Blind acceptance of encrypted channels
Trust-Native Network Resolution
DTL validates identity before tunnel creation. Even if encryption is valid, untrusted workloads cannot establish tunnels or impersonate trusted systems.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.