Zero-trust helps to regain control after a ransomware attack
Successful ransomware attacks continue to dominate the headlines and the threat level continues to worsen. On a global scale, malware actors are developing new attack scenarios faster than companies can respond by upgrading their security defence. In view of the severity of potential ransomware attacks, consideration must be given to how companies can regain control over their IT infrastructure after an attack has taken place, says Tony Fergusson, director transformation strategy at Zscaler.
In the immediate aftermath of a ransomware attack, companies lose trust in their entire IT environment. They commonly do not know which systems blackmailers have hijacked and what data the attackers can access. Nor can it be determined at first glance how the malware could have infiltrated the network and systems, or even whether data left the network before encryption, as double extortion would provide additional pressure on victims to pay the ransom.
Once a ransomware attack has occurred, IT managers usually react with the complete shutdown of all systems on the network. If the attack has already paralysed many systems, this reaction is supposed to prevent the further encryption of data and the lateral movement of the attackers. Even if this succeeds in preventing the further spread of the attackers in the network and their communication to the outside world, an unfortunate consequence is that the entire business’s operations are also stopped. A strategy is therefore needed that, on the one hand, ensures the rapid recovery of access to the business-critical applications, so that employees can resume their work, and on the other hand, does not interfere with the clean-up of the network and data restore.
Companies that choose not to pay the ransom should have a plan in place for how to regain confidence in the integrity of their IT landscape. They will be under immense economic pressure to act quickly. Even if data can be recovered from an external backup system, this can only be done when backups are not encrypted, which is what ransomware gangs are moving towards. It must also be ensured that the attackers are banished from the network so that they cannot cause further damage.
The principle of least privilege restores trust
In response to today’s threat landscape, the concept of least-privileged access has been revived through zero-trust. The term essentially means organisations begin from a starting point of zero access permissions for each employee or system, which means permissions must be defined via specific policies. Such a process coincides with the tested principle of least privilege, which only provides access to information and resources for which there is a legitimate purpose. The underlying idea is that no one can be afforded implicit trust, and everything must be questioned before gradual authorisations can be granted, which must be continuously validated during an individual’s access.
A zero-trust-based approach can help to quickly establish the permissions for granular application-level access for business-critical systems, even in a worst-case scenario of a ransomware infection. This ensures the rapid return of employees to business operations, while the infected system is cleaned up in the background. A software-defined overlay layered on top of the compromised network environment allows only secure data streams based on identity and context and acts as a virtual perimeter around the infected system.
Three steps to regain control
In order to effectively mitigate the impact of an attack, some basic considerations are necessary.
- Build a zero-trust overlay: To prepare for the “Phoenix‘ moment” of network resurrection, it is necessary to prioritise the applications required for business operations. The access rights to these critical applications must be defined by role in an identity provider.
With the help of a software-defined solution, such as the Zero-Trust Exchange, the individual user is granted access to these critical applications via a microtunnel through which the data traffic flows are encrypted. The access rights are brokered with the help of a cloud service that links the outgoing connection from the application to the user. The infected network just acts as the transport layer for this type of access and secures users and applications and therefore removes the attack surface from the network.
This type of connection takes place as a secure overlay over the existing network infrastructure. The zero-trust overlay will function on the principle “don’t trust anyone, but verify first” and will allow the company to deliver critical business applications, even though some of the apps and users are compromised. However, the IT team will gain time to clean up the affected network infrastructure.
- Gain insight into the entire data streams and context: In addition, it is important to locate the attackers in the network and prevent further lateral spread of the attack, or to infiltrate already cleaned systems again. A multi-layered security approach should be implemented that supports the cleanup of individual clients and, for example, scans users’ end devices for hidden malware. Only scanned devices should be allowed access to the required applications via zero-trust. If all outgoing traffic from employees and servers is monitored after the systems have been restarted, the attackers’ command and control traffic may be detected.
In a zero-trust model, context is included in the security considerations and the structure of the policies. New technologies are developing under the motto of contextual trust, in which the user’s device, their location but also information regarding their last authorisation is included. It is crucial that this information is validated in advance with the help of zero-trust before the connection is established.
- Detect and avoid attack surfaces: Due to the growing number of IT systems exposed to the Internet, organisations’ attack surfaces are constantly expanding. The IT department often lacks insight into the potential danger associated with systems exposed to the Internet. A recently published survey illustrates this problem. More than 202,000 Common Vulnerabilities and Exposures (CVE) were found at 1,500 companies. More than 400,000 servers could be openly controlled via the Internet. Almost half of the companies surveyed used outdated protocols, which increased the possibility of attacking them and taking control of the IT systems.
The study also found over 60,500 exposed instances on Amazon Web Services, Microsoft Azure Cloud, and Google Cloud Platform. Outdated infrastructure components that are no longer administered also represent loopholes for attackers. These “technical debts” must be on the radar of security teams, who should be running regular reviews of multicloud configurations and workloads. Such dangerous attack surfaces must be narrowed down and the lateral movement between workloads and users and amongst workloads must be limited to authorised communication only, whereby a zero-trust approach can help. The goal should therefore not only be to know their exposed attack surface, but to reduce it to a minimum.
Instead of cybersecurity insurance and the accumulation of bitcoins for emergencies, companies would do well to evaluate their security infrastructure before an attack occurs. This is a more cost-effective strategy, as cleaning up after a security incident introduces a multitude of losses, including immediate lost revenue and personnel time being diverted to reconstruction, as well as the longer-term costs associated with reputational damage. Essentially, a zero-trust approach can help organisations rebuild trust in their IT landscape, take back control, and keep this control going forward.
The author is Tony Fergusson, director transformation strategy at Zscaler.