The rise of ransomware has inspired the creation of myriad techniques attackers can use to achieve their goals. At its core, ransomware encrypts an enterprise’s data and then sells the key needed to decrypt them. This form of extortion is considered single ransomware. Double ransomware attacks not only encrypt data, but threaten to release them publicly if the ransom is not paid. Triple ransomware attacks do both, and further, threaten to contact an organization’s partners to let them know the enterprise’s security is terrible. It is possible that there is even such things as quadruple ransomware attacks, where the bad actors threaten to tell your mom. The point is, ransomware is troublesome, expensive and can discourage potential customers. There are 2 security architectural approaches that can be used to combat ransomware: zero trust and extended detection and response (XDR).
It is a common belief that good security is hard to achieve because bad actors only need to get 1 thing right to succeed, while security practitioners must get everything right or fail. Not so. Launching a successful ransomware attack takes several steps. In fact, it is so complicated that it takes multiple teams working together to make it happen. First, bad actors pick a target. Then they subscribe to a Ransomware-as-a-Service organization, which specializes in creating software for ransomware attacks. They infiltrate the enterprise, either by guessing a user’s password, by getting a user to click on a tainted link or by exploiting a vulnerability in the organization’s software. The complete series of steps form the principal categories of the MITRE ATT&CK framework.1 By interrupting any of these steps, the ransomware attack fails.
It is a common belief that good security is hard to achieve because bad actors only need to get 1 thing right to succeed, while security practitioners must get everything right or fail. Not so.
Using the ATT&CK framework helps teams identify vulnerabilities to chart their attack surface. It can help teams hunt for threats to detect attacks in progress before they cause damage. It can help an enterprise discuss vulnerabilities with peer organizations such as Information Sharing and Analysis Centers (ISACs), which have been set up to protect critical infrastructure. And it can help security teams work with vendors of security tools or services, and with law enforcement, to uncover the weaknesses that led to an attack.
Zero trust is a set of architectural principles that help lock down an environment, minimizing the attack surface. The key ideas of zero trust are:
- The perimeter does not exist (it never really did). Do not assume that someone is to be trusted just because they have already made it inside the network.
- Verify users before allowing them to use services or access data and verify a device’s integrity before allowing it to connect to the network.
- Do not assume users will always do the right thing. Instead, require verified access rights for each request for service.
- Rather than attempting to track bad actors through the system, set up impediments that will slow them down.
To make these principles work in practice, 2 things need to happen. First, an identity and access management (IAM) product should be put in place to allow users and their rights or permissions to be authenticated. Without that, there will not be any source of truth to determine whether a particular request has been permitted or not. Second, segment the network. This will slow an attack. Lateral movement within the organization puts payloads in place and enables data theft and data encryption. Network segmentation blocks those attack elements.
XDR brings together information about possible attack elements (e.g., indicators of compromise [IoCs]) with logs of network traffic, quirky endpoint behavior, cloud and Software-as a-Service (SaaS) service requests, and server events for analysis. The power of XDR is that it goes beyond security information and event management (SIEM) which aggregates log data to include correlation, analysis and machine learning (ML)-augmented modelling. This forms the basis for an effective response.
By deploying an XDR solution (which can detect many attack elements) with a zero trust-enabled architecture (which hardens infrastructure against malicious attacks), one can substantially improve survivability against ransomware. So, deploy an IAM tool. Use multifactor authentication (MFA), at least for high-privilege accounts. Segment the network. And put an XDR tool in place for the security operations center (SOC). You will have a much calmer, more predictable, less eventful day-to-day work experience.
Endnotes
1 MITRE ATT&CK, http://attack.mitre.org/
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Using XDR and Zero Trust to Combat Ransomware” episode of the ISACA® Podcast.
William Malik, CISA
Is vice president of infrastructure strategies at Trend Micro, where he helps clients achieve an effective information security posture spanning endpoints, networks, servers, cloud and the Internet of Things. During his 4-decade IT career, he has worked as an application programmer with John Hancock Insurance; an OS developer, tester and planner with IBM; a research director and manager for Gartner’s Information Security Strategies and Application Integration and Middleware services; and chief technology officer of Waveset, an identity management vendor acquired by Sun. Malik has also operated a consulting business providing information security, disaster recovery, identity management and enterprise solution architecture services for clients including Motorola, AIG, and Silver Lake Partners. He has authored more than 160 publications, has spoken at numerous events worldwide and is a member of CT InfraGard and ISACA®.