Zero Trust Access vs. Targeted Ransomware Attacks

Ransomware is the other pandemic hitting individuals and businesses worldwide. Newsworthy incidents usually affect critical infrastructure and services. Still, the gamut of victims spans from large companies targeted explicitly to individuals at home hit by automated malware infections, with small and medium-sized businesses in between. No individual or company is exempt from this threat. The advent of the hybrid workspace derived from the effects of the COVID-19 pandemic created a target-rich environment for attackers. With the workforce working remotely and coming often to work on-site, in many instances using unmanaged devices, the footprint of shadow IT increased, and the attack surface grew as a result. Chaos brings fresh opportunities for ransomware-as-a-service rings and their affiliates. In this context, what can IT and OT leaders do to better protect data and operations against ransomware attacks?

In this blog, we address at a high level how a Zero Trust strategy can make for a powerful defensive stance.

Prevention alone is not enough

An assortment of attack vectors that bad actors exploit, and enough structural vulnerabilities in organizations working under the implicit trust model, allow attackers to move laterally across the network after managing to access the targeted system. The most common ingress vector is spearphishing (social engineered e-mails) combined with zero-day vulnerabilities. Attackers then move laterally to spread and detonate the payload to exfiltrate and encrypt sensitive data. After the initial breach, it can take months for the attack to be detected. The worst-case scenario happens when detection happens too late: when the endpoints and servers were encrypted, the data has been exfiltrated, and the ransom is being demanded.

It’s long been stated that prevention alone is not enough. Constant patching, firewalls, network access control, and endpoint, mail, and server security are necessary to mitigate risk. Still, ultimately hackers will find a way to breach traditional perimeter defenses, as it is being proven repeatedly. Yet, historically, cybersecurity investments are biased towards these preventive security controls, which for the most part, are complex to manage effectively and, as a result, are usually underutilized or poorly configured. Next-gen firewall policy drift is a common ailment, and so is the network performance and availability impact of security controls that hairpin traffic through choke points. While Zero Trust Access (ZTA) solutions certainly lower the risk of an initial breach, they boost detection and response speed and effectiveness by:

• Considerably slowing down the attacker's kill chain by depriving them of network visibility
• Facilitating fast detection of anomalous behavior (even more with AI/ML assistance)
• Reducing the blast radius of the breach thanks to macro, micro, and nano segmentation

To top it off, a well-designed ZTA solution architecture avoids the security vs. network availability trade-offs.

287 is the average number of days to identify and contain a data breach. The longer it takes to identify and contain, the more costly the breach."
Cost of a Data Breach 2021, IBM/Ponemon Report

The fatalism of the main Zero Trust premise

There is some degree of fatalism or pessimism in the definition of Zero Trust. The concept starts from the premise that breaches are inevitable and that enterprises must always assume a breach has already occurred and an attack is in progress. Therefore, organizations must also focus on investing in rapid detection and response capabilities with the same emphasis they invest in prevention, if not more. This not-so-new paradigm of Zero Trust challenges the importance of firewalls and of any security tool that works under the old implicit trust model. Under the zero trust edge model, the new perimeter centers around user, device, app, and data identities, their behavior, and the context, with policies enforced as closely as possible to the resource being accessed. Under this model, authentication and authorization are evaluated constantly to inform adaptive policies, hence the “zero trust” monicker. Location in the network is not as important as it used to be, while identity gained center stage.

Arguably, Zero Trust changes the definition of a breach. Because breaches will always occur and are as inevitable as zero-day vulnerabilities and human ingenuity, the zero trust model may not consider a breach the unauthorized access into the network, but the exfiltration, destruction, and/or encryption of data by the attacker. It is not the ingress but the egress what causes the damage. A data backup won't bring back your sensitive data that is out in the wild. In short, a ransomware attack may be in progress, but if detected, contained, and eliminated quickly, it is not successful, there was no breach (no detonation, no exfiltration), and it is just “business as usual”: the SOC team catching bad guys "in fraganti". True zero trust network security tools, not the same old ones being stamped with the zero trust seal for marketing purposes, deliver enough time to the SOC to detect and respond effectively to ransomware attacks.

$4.62m is the average total cost of a ransomware breach. Ransomware and destructive attacks are costlier than other types of breaches.
Cost of a Data Breach 2021, IBM/Ponemon Report

Zero Trust Access as your special force against attackers

A successful defense against the constant threat of ransomware depends on making the infrastructure as hard of a target as possible. It makes an attack costly and therefore unprofitable to criminal organizations. In short:

• Always work under the assumption that the attacker has already breached your traditional perimeter defenses. Assume breach. Your firewalls and other legacy security controls are a Maginot line that resourceful attackers can always circumvent. Hackers will always find a way around static defenses. If military history can be used as an analogy, a static defense doctrine has failed more than often. Go for a defense in depth.
  
  
• Conduct what could be described as asymmetrical cyberwarfare to eliminate their will to continue an attack: make it costly, financially. Time equals money, so the more you slow down an attacker, and the faster you detect and respond, the more likely the attacker will switch focus to softer targets. The potential cost of a successful attack means that your ROI in a ZTA solution will always be positive: just make the attacker’s ROI negative and you will succeed. If military history can be used as an analogy,  Afghanistan has never been fully conquered and occupied in over two millennia because of the rugged terrain, resiliency of the local tribes, and their asymmetrical warfare tactics. In short: turn your network into a rugged terrain for attackers (leverage multi-cloud, segment the networks, implement multi-factor authentication), be resilient and cost-efficient (build adaptive policies), and be smart (leverage AI and build an intelligent network over time).

$1.76m is the cost difference in breaches where mature zero trust was deployed vs. no zero trust."
Cost of a Data Breach 2021, IBM/Ponemon Report

The human element of Zero Trust Access

A ZTA platform in combination with SDP capabilities, manned by a talented team of operators, can slow down the attacker by:

• Reducing the attack surface. You can’t hit what you can’t see. So by depriving the attacker of network visibility, you effectively slow down the attack and give enough time and focus to detect and respond to it. Through macro, micro, and nano-segmentation of users, devices, apps, and data, and intelligent and adaptive least privilege access policies, not only the attack surface is reduced but, theoretically speaking, it could be completely eliminated over time. The attacker may have breached your perimeter defenses, but he can’t see anything on the other side other than the resource being accessed, and therefore he can’t move laterally to spread the ransomware payload.
  
  
• Understanding, not just seeing, everything that flows in your IT and OT infrastructure. To achieve complete control, you need full visibility to gain information and knowledge about what’s going on in your infrastructure. A ZTA platform that integrates with multiple IDP and CMDB sources, an architecture that does not care about your existent hybrid network topology, and a control center that leverages AI for policy alerts and recommendations, enable the SOC to detect and respond to threats faster.

A talented team with the right ZTA platform that leverages sound integrations, and the help of a multiplier such as AI, can detect, contain, and eradicate ransomware threats fast enough to help organizations always stay ahead of attackers. The battle is won, not when any given attack by a bad actor is unsuccessful, but when the attacker quickly perceives the target is too hard and decides to prioritize its resources to go after softer ones.

Conclusion

There is no silver bullet against ransomware unless everyone stops paying the ransom. Only working constantly towards the aspirational goal of eliminating the attack surface increases the outcome of attacks being ultimately unsuccessful. Your intelligence is your best weapon. You can equip it with the visibility tools and AI assistance for higher efficiency and accelerate your organization’s journey towards a zero trust network architecture. Make your organization and your supply chain smart and resilient, and the cybercriminal rings will eventually focus their targeted efforts elsewhere.

About Elisity

Elisity offers an identity-driven control plane for corporate networking and remote access without tying customers to a particular network or network security technology. Its Cognitive Trust platform, delivered as a cloud-based service, is deployed as an overlay or underlay on whatever WAN and/or SD-WAN infrastructure an enterprise prefers to protect data, users, devices, and applications in the data center, the cloud, at home, and everywhere. Request a demo and see the possibilities with Elisity Cognitive Trust.