Stay on the cutting edge. Subscribe to our blog.
Defending against ransomware
We often hear that the best defense against a ransomware attack is robust data protection. After all, if you have backups, you don’t need to pay the ransom and can simply restore all files. Even if the malware does successfully encrypt an organization’s data, so long as the backup and disaster recovery (DR) files are intact, they can avoid paying the ransom and IT can restore everything to a point before the attack.
But backups are best kept as a last-ditch defense, not the front line. After all, if the attack is devastating enough, IT may face restoring petabytes of data, a process that can take days, even weeks to complete, leaving the business crippled for an extended period of time. Even worse, if backups are connected to the network, it’s possible for ransomware to digitally shred them as well, leaving no other option but to pay the ransom, which is a terrible position to be in, and not just because of the monetary loss. After officials in Lake City, Florida paid a ransom to decrypt their affected data — about a couple hundred terabytes — the decryption process took more than eight days to complete. For larger organizations with petabytes of data, the process could take more than a month.
Likewise, we often hear a lot about the importance of training employees how to avoid clicking on documents used in phishing attacks, but again, this is nowhere near sufficient.
Cybercriminals are constantly developing novel ways to trick employees, and, in a sufficiently large organization, someone will eventually make the mistake of clicking on an infected file. What’s more, this does nothing to defend against attacks that exploit security holes — no one has to click on anything for these to succeed.
A zero trust approach to thwarting ransomware
In a zero trust environment, all internal communications are treated as potentially hostile. Each communication between workloads must be authorized before it is allowed. In this way, zero trust can stop ransomware from moving laterally across the network, which can mean the difference between the malware encrypting a single laptop and encrypting hundreds of servers and datastores around the globe.
Zero trust is enabled by microsegmentation, but traditional methods of microsegmenting a network depend on “trusted” IP address. That poses significant operational and security concerns. Operationally, policies break when the underlying network changes — and modern networks are constantly changing. It’s even more difficult to manage policies in autoscaling environments such as the cloud or containers, where IP addresses are ephemeral. IT would have to constantly update policies as IP addresses change, which is labor-intensive and error prone. What’s more, ransomware can evade address-based controls by piggybacking on approved firewall policies because firewalls are not designed to distinguish good software from bad software.
There is a new model for microsegmentation, however, that relies on the identity of communicating software, hosts and devices, separating the control plane from the network for better security and easier operations. With an identity-based approach, each workload is assigned an immutable, unique identity (or fingerprint) based on dozens of properties of the asset itself, such as the UUID of the bios, serial numbers of processors or a SHA-256 hash of a binary, which is then verified before the workloads are allowed to communicate. This identity verification prevents malicious software, or devices and hosts from communicating.
For example, let’s say that someone clicks an infected file, which launches ransomware on their desktop machine. If it tries to use the SAMR protocol or NsLookup to conduct network reconnaissance, identity-based zero trust policies would block that communication, because the ransomware is not authorized. Likewise, attempts to move to other assets would also be denied. In this way, even if ransomware gains an initial foothold in the network, the damage that it can do is limited to an annoyance and not a global business catastrophe.
Want to learn more about how Edgewise’s zero trust platform can help your organization defend against ransomware? Sign up for a demo today.