The response capabilities an organization would most like to have under those attacks.
Making sure that those capabilities are in place, trained, and operationally ready for a moment of need.
The goal is to move from reactive to resilient during a ransomware attack or other breach. But before that can happen, you need to know how breaches work – and the qualities that make them successful.
Hear from Nathanael Iversen, Illumio's Chief Evangelist, on why building Cyber Resilience for your organization is so important:
Keep reading to the 3 best practices to improve Cyber Resilience.
How ransomware attacks work
Nearly every successful attack follows this pattern:
Detection fails. Despite all of the scanners, heuristics, algorithms, and AI-driven, find-the-needle-in the haystack solutions, attackers still find success. And when they can breach the network perimeter or a user’s laptop without detection, they have the ability to go slowly, take their time, and quietly learn how to expand their footprint. Installing ransomware or malware isn’t the first step but the very last.
The breach spreads. Once reliable access to a single machine is stable, attackers start exploring, lurking, and learning as quietly and patiently as they need to avoid detection. Sadly, flat networks without segmentation are defenseless against this movement.
Critical assets are compromised. It’s rare that attackers immediately compromise critical systems. Often, they start on user desktops or operational technology (OT) systems. They then gradually filter through 10 to 20 systems before finding their way to critical databases, applications, or services. Once there, they can exfiltrate data, possibly violating regulatory frameworks. As a final insult, the malware locks systems and may even demand ransom.
From this simplified, but accurate description, we learn the key qualities that make an attack successful.
Ransomware attacks are opportunistic and live off what the land offers.
An initial attack provides the first network access point: a known exploit, zero-day exploit, social-engineered phishing message, or just plugging a laptop into an Ethernet port. Scanning enumerates hosts, open ports, and running services: the available attack surface.
Access is gained using whatever works, such as exploits, stolen credentials, existing trust: the opportunistic attack vectors.
The ransomware “payload” runs while the above repeats to maintain access and continue the spread: a lateral-movement attack.
How can you stay resilient in the face of an unknown attacker who is likely using an unknowable collection of exploit tools? Here are 3 best practices to use.
Implement both proactive and reactive ransomware containment strategies
If you were told that a breach was suspected or discovered on a small handful of user laptops, you would immediately want to do two things: isolate the contaminated systems and put up additional barriers to keep critical systems safe.
This should inform the things you do in advance of a breach.
Before a breach occurs, you have the opportunity to:
Tighten segmentation around administrative access.
discover and track any port or any protocol across the compute environment.
Pre-position tightly restrictive and reactive segmentation policies.
You might not activate these policies day-to-day, but what environments would you wish to close off in an instant if an attack was active? Those are the reactive policies that your security team should create and get trained to implement in advance.
Proactively close unnecessary, risky, and typically abused ports
Highly connected ports concentrate risk because they typically communicate to most or all of a given environment. This means that the whole environment is listening on them and should be protected from a hacker’s attempt to spread from one environment to another.
Peer-to-peer ports are risky because they are written to work from any machine to any machine. The problem is that no one wants them to work universally – some of the most popular ransomware vectors use these ports. In fact, 70 percent of all ransomware attacks use remote desktop protocol (RDP) to breach a network.
Well-known ports are problematic. They have long histories with many published and well-known vulnerabilities against them. And they are often on by default even if they are not intended for use. Closing them immediately reduces the attack surface.
Zero Trust Segmentation can control risky ports within hours, radically reducing risk of a breach spreading.
Isolate unaffected high-value applications and/or infected systems
Attackers want to get to high-value assets because most user systems don’t have enough data to mount a successful ransomware demand.
You should already know the most important systems and data in your environment – so why not put a tight ringfence around each of those applications, making it almost impossible for a hacker to move laterally into them?
This is a low-effort, high-reward project that any organization can do in a few weeks with Zero Trust Segmentation.
Zero Trust Segmentation creates cyber resilience
Zero Trust Segmentation applies the principle of least-privilege access to segmentation across cloud, user devices, and datacenter assets. When responding to an incident, the most essential capability is to quickly block network communication on any port in an application, environment, location, or the entire global network.
This fundamental capability provides control to contain breaches, establish clean and contaminated zones, and allows the team to move with confidence to restore systems and place them in the “clean” zone. Without it, the game of “whack-a-mole” continues for months.
The port that isn’t open can’t carry a breach attempt.
This means that every time you tighten your segmentation policy, you are effectively:
Reducing the size of the operational network.
Eliminating paths for discovery, lateral movement, and malware propagation.
Improving your control over connectivity is one of the most important capabilities you need to build stronger Cyber Resilience. A risk-informed Zero Trust Segmentation deployment can radically improve Cyber Resilience in less time than you might think.
This year's Cybersecurity Awareness Month has provided the opportunity to reflect, refocus, and plan on ways to improve your security posture. Thanks for joining us.