The sophistication and frequency of ransomware attacks continue to grow. According to Akamai CTO, Robert Blumofe, ransomware has become “a repeatable, scalable, money-making business model that has completely changed the cyberattack landscape.”
For example, Conti, the cybercrime giant that operates much like the businesses it targets — with a human resources department and an employee of the month — not only aims to make money but also to carry out politically motivated attacks. (Learn more in the Ransomware Threat Report H1 2022.)
Another alarming development: Although ransomware still mostly targets large organizations, small and medium-sized organizations are increasingly being victimized. Lincoln College in Illinois announced in May 2022 that it will close its doors after 157 years, citing a ransomware attack as a contributing cause.
How to avert a ransomware disaster
It makes sound security sense for organizations to put strong measures in place to try to stop ransomware from gaining access to their IT environments (often referred to as the north-south movement). But increasingly complex traffic flows coupled with distributed workforces have left many security teams playing catch-up and making tough decisions on trade-offs.
In this post breach world, focusing on implementing microsegmentation to ensure that the organization can stymie a ransomware attack — in addition to preventing one — can be the best way to ensure there are no disasters.
The power of Microsegmentation
Microsegmentation accomplishes two things that organizations desperately need now. The first is visibility. Enforcing a Zero Trust policy — which is the ultimate goal — begins with understanding the assets being protected and how they are (and should be) communicating with one another.
Microsegmentation helps accomplish this: Using artificial intelligence (AI) and machine learning, microsegmentation classifies traffic flows and labels data, which accelerates the path to policy creation. Security teams can then write rules with the confidence that those rules will do what’s needed: prevent malicious actions without disrupting the business.
Second, microsegmentation enables granular policies that restrict lateral movement and prohibit malicious behavior. This is the coup de grâce for ransomware. If it cannot travel laterally (east-west) within your IT environment, it cannot reach your valuable data and encrypt it.
Assisted by AI
The other plus in starting your defense strategy with microsegmentation is that AI is helping all of us organize, protect, and make sense of the vast amounts of data that we use to make our businesses run. So, no matter your industry, using AI to map all data and information flows gives you a better chance of staying ahead of ever-more sophisticated cyberattacks.
Why is Microsegmentation the best way to limit the damage of ransomware?
As we learned from leaked Conti documents, threat actors don’t begin to encrypt machines until they’ve achieved network dominance, and network dominance is achieved by spreading laterally throughout the environment.
Their initial access into a network usually isn’t via a particularly valuable device, but often through a user who was duped by a phishing email and clicked on a link that downloaded ransomware on their device. Encrypting that machine is of little to no value to the threat actors; they must move laterally to discover more valuable assets that contain valuable information such as customer details, credit card information, health records and other personally identifiable information.
To keep this movement from occurring, agent-based microsegmentation logically divides the enterprise network and assets into segments that each have their own well-defined security controls. It also allows for policy within the segments, down to the individual machine, process, and service. Those controls ensure each process communicates only with the other processes that are necessary to carry out its function.
The five facets of a strong ransomware defense strategy
A strong defense is not only about blocking lateral movement but also about detecting the presence of a threat. There are five facets to building a strong ransomware defense strategy, and microsegmentation addresses all five.
To ensure your organization does not fall victim to ransomware, you need to:
- Prepare your IT environment
- Prevent movement
- Detect attempted access
- Remediate an attack
- Recover and restore operations
Prepare your IT environment
Identify every application and asset running in it. Microsegmentation gives you this level of granular visibility, which helps you quickly map critical assets, data, and backups — and also better identify vulnerabilities and risks. With this complete picture of your network environment, you can respond quickly, activating rules that can thwart a breach.
Create rules to block common ransomware propagation techniques. Software-defined segmentation creates Zero-Trust microperimeters around critical applications, backups, file servers, and databases. Segmentation policies can also restrict traffic between users, applications, and devices to block any attempt at malicious lateral movement without triggering false positives.
Detect attempted access
Detect any blocked access attempts to segmented applications and backups via alerts. This can work in concert with reputation-based detection that alerts you to the presence of known malicious domains and processes. Rapid discovery of attempted attacks minimizes dwell time and increases your odds of catching attackers.
Remediate an attack
You can remediate attacks with microsegmentation’s automatic threat containment and quarantine measures. When an attack is detected, isolation rules allow the rapid disconnection of affected areas of the network, while segmentation policies block access to critical applications and system backups.
Recover and restore operations
Use visualization capabilities that restore connectivity gradually as different areas of the network are determined to be all clear.
Authored Article by: Dan Petrillo & Jim Black, Akamai