Accepting that human beings aren’t the best security control plane, organizations need to look beyond endpoints and start to place better protection around the data and system resources attackers are trying to compromise and the mechanisms by which attackers get there. That is to say, if an attacker can exploit a human vulnerability, security controls must be in place to prevent the sprawl of a ransomware attack.
As noted above, disabling links, sandboxing attachments, or blocking email containing either are ways to limit potential malware detonation. However, users don’t look kindly on anything that slows them down, even nominally, and businesses won’t tolerate security solutions that curtail productivity. And while one infected machine isn’t ideal, security teams need to implement network-agnostic controls that prevent malware from moving off of one user’s machine to another or toward shared network resources.
How can this be accomplished? By denying unknown and therefore untrusted software and processes from communicating on the network.
Given the prevalence of malware—a.k.a., malicious software—as a means for network attack, security controls have to be configured to assume that any end user and any end user’s credentials have been compromised. In turn, this means that any request by an end user to access system resources must also be treated as potentially compromised. For example, let’s say a user receives an email with an infected link and clicks on that link. Immediately the files on the user’s machine are encrypted and a popup appears stating that the user must pay 50 Bitcoin to receive the decryption instructions to restore the locked files. This is bad, but not nearly as problematic as if the malware can then spread to subsequent users’ machines and/or to centralized databases to which many users require access.
In a typical ransomware scenario, malware is written to automatically seek out and execute on other assets, and because the initial victim’s machine and associated user credentials are trusted to communicate with other users’ machines and/or system resources, the malware spreads rapidly. However, if network communication policies are set to zero trust—i.e., every action must be verified regardless of previous approvals; all access is least privilege—when the infected user’s machine tries to establish an outbound communication that includes ransomware, the communication request is denied based on the fact that unknown software is included in the request. Any piece of software or process that cannot be identified is prevented from communicating in a zero trust network, hence the attack is aborted before it can reach any resources beyond the initial infection point. Importantly, identification in a zero trust network must be dependent on the communicating asset rather than where the asset is coming from (address, port) or who is sending the request (user credentials). The reason for this is twofold: first, phishing is extremely effective and hard to prevent. Second, network-based information as a control plane in a cloud, serverless, or container environment is not constant and can therefore not reliably differentiate “good” from “bad” traffic.
Focus on the attackers’ ultimate target first
Instead, to effectively prevent the spread of ransomware (as well as other malware), organizations should implement security controls that stop unverified software and services from communicating on their networks. Notably, access and authorization decisions should center on the identities of the software and services requesting communication; this is the most reliable way to limit the “blast radius” of any attack.
The resolute return of ransomware is a good reminder to companies that it’s time to think strategically about protecting users, data, and systems from widespread compromise. While at first blush ransomware (and phishing, which is often the first strike in a ransomware attack) seems like an unsolvable problem. However, combining zero trust security principles with identity-based control gives organizations a way to stop the spread of ransomware attacks even when one initial target is exploited. Savvy attackers are always going to find a way to exploit an endpoint. The key is preventing them from affecting further damage.