Preventing the Spread of Ransomware

After a brief moment away from the spotlight in 2018, ransomware has returned with a vengeance to commence 2019. In the first four months of the year alone, ransomware has hit Norsk Hydro, Arizona Beverages, Cleveland Hopkins International Airport, and the cities of Greenville (NC) and Albany (NY), plus Garfield County in Salt Lake, City (UT). In all likelihood, this is just the tip of the attack iceberg, and potentially a sign of things to come.

Ransomware, by all measures, is a high-probability attack from the attacker’s point of view; inevitably, an employee/contractor/partner will be fooled by a convincing-looking email containing a malicious link or attachment, which, upon execution, triggers malware that locks up files on the user’s computer and/or looks for ways to piggyback on existing executables and pathways in the network to find, access, and encrypt company-critical databases. In each of the attack scenarios listed above (as well as countless others before them), affected organizations had to contend with loss of data; system disruptions; inability to serve customers for extended periods; and in a few cases, a complete operational shutdown until systems, networks, or data were restored to serviceable levels. Needless to say, any company that falls victim to this type of attack is subject to financial, operational, reputational, and potentially regulatory consequences. In other words, the damage from a ransomware attack exceeds networking impact.

Conventional methods for handling ransomware

It is far superior, therefore, to prevent a ransomware attack than to have to deal with the aftermath. Yet, some experts say that the best advice for handling a ransomware attack is to train users not to click on things and to maintain backups of all business-critical data and information. While it’s true that if no person ever clicked on links or downloaded attachments, organizations would be freer from incidents. However, business isn’t conducive to never clicking or downloading, scrutinizing the contents and headers of every email, and questioning each correspondence received throughout each day. Disabling users’ ability to click on a link or download an attachment is one way of approaching the problem, but doing so comes with repercussions beyond cybersecurity—in the eyes of a business executive, the probability of a ransomware attack activated by a user’s click is far less than that person’s inability to do their job effectively if they can’t access important information. Even though ransomware is headline news, most non-security executives (at least those who haven’t lived through the fallout) would say their teams’ productivity is vastly more vital than a possible cyber attack.

As for backups and disaster recovery plans, there is no doubt that every company should have them. Failing to do so is negligence, at best. All companies—at some level—will fall victim to a security incident or system outage, even if the impetus is unintentional and not instigated by a nation-state cyber criminal. Planning thoroughly for a disaster, however, does not erase the need for stronger preventative cybersecurity measures. In other words, just because a company can swiftly recover from a cyber attack doesn’t mean recovery efforts should be the default position. A layered security defense means starting from the viewpoint that the company will execute its best efforts at implementing preventative security controls—meaning, an ounce of prevention is worth a pound of cure.


Edgewise will be at the Gartner Security & Risk Management Summit.   Come visit us at booth 925! <https://www.edgewise.net/events>


Accepting that human beings aren’t the best security control plane, organizations need to look beyond endpoints and start to place better protection around the data and system resources attackers are trying to compromise and the mechanisms by which attackers get there. That is to say, if an attacker can exploit a human vulnerability, security controls must be in place to prevent the sprawl of a ransomware attack.

As noted above, disabling links, sandboxing attachments, or blocking email containing either are ways to limit potential malware detonation. However, users don’t look kindly on anything that slows them down, even nominally, and businesses won’t tolerate security solutions that curtail productivity. And while one infected machine isn’t ideal, security teams need to implement network-agnostic controls that prevent malware from moving off of one user’s machine to another or toward shared network resources.

Security redefined

How can this be accomplished? By denying unknown and therefore untrusted software and processes from communicating on the network.

Given the prevalence of malware—a.k.a., malicious software—as a means for network attack, security controls have to be configured to assume that any end user and any end user’s credentials have been compromised. In turn, this means that any request by an end user to access system resources must also be treated as potentially compromised. For example, let’s say a user receives an email with an infected link and clicks on that link. Immediately the files on the user’s machine are encrypted and a popup appears stating that the user must pay 50 Bitcoin to receive the decryption instructions to restore the locked files. This is bad, but not nearly as problematic as if the malware can then spread to subsequent users’ machines and/or to centralized databases to which many users require access.

In a typical ransomware scenario, malware is written to automatically seek out and execute on other assets, and because the initial victim’s machine and associated user credentials are trusted to communicate with other users’ machines and/or system resources, the malware spreads rapidly. However, if network communication policies are set to zero trust—i.e., every action must be verified regardless of previous approvals; all access is least privilege—when the infected user’s machine tries to establish an outbound communication that includes ransomware, the communication request is denied based on the fact that unknown software is included in the request. Any piece of software or process that cannot be identified is prevented from communicating in a zero trust network, hence the attack is aborted before it can reach any resources beyond the initial infection point. Importantly, identification in a zero trust network must be dependent on the communicating asset rather than where the asset is coming from (address, port) or who is sending the request (user credentials). The reason for this is twofold: first, phishing is extremely effective and hard to prevent. Second, network-based information as a control plane in a cloud, serverless, or container environment is not constant and can therefore not reliably differentiate “good” from “bad” traffic.

Focus on the attackers’ ultimate target first

Instead, to effectively prevent the spread of ransomware (as well as other malware), organizations should implement security controls that stop unverified software and services from communicating on their networks. Notably, access and authorization decisions should center on the identities of the software and services requesting communication; this is the most reliable way to limit the “blast radius” of any attack.

The resolute return of ransomware is a good reminder to companies that it’s time to think strategically about protecting users, data, and systems from widespread compromise. While at first blush ransomware (and phishing, which is often the first strike in a ransomware attack) seems like an unsolvable problem. However, combining zero trust security principles with identity-based control gives organizations a way to stop the spread of ransomware attacks even when one initial target is exploited. Savvy attackers are always going to find a way to exploit an endpoint. The key is preventing them from affecting further damage.

 

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.