Refocus on Ransomware: 3 Truths to Building a Ransomware-Ready Network
With National Cybersecurity Awareness Month kicking off, the one topic you’ll hear about for certain is ransomware.
This is unsurprising since ransomware is the most common type of cyberattack organizations face.
You need to be prepared for that moment when you get a phone call that something suspicious seems to have been detected inside your environment.
This month, put your ransomware focus on three important “truths” that all organizations must accept and act on to establish a solid foundation for protecting your network from the spread of a ransomware attack.
Hear from Nathanael Iversen, Illumio's Chief Evangelist, about how to make sure your organization is ransomware ready:
Continue reading to learn more.
Truth #1: Proactively design your network in expectation of a ransomware attack
Imagine you get the call. In that moment, whatever network of detection and sensor technologies you have selected will have done their job and incident response capabilities will be critical. After all, you can only respond with what is already deployed, active, and carefully prepared.
No one has time to build new capability on the fly when an attack is underway.
When architects design buildings, they are required to design fire doors into every floor, office, and stairwell entrance. These doors are often left open, or just function as normal doors most of the time.
But if a fire starts, these doors contain the fire and smoke and provide a safe exit for people to leave the building.
Three capabilities will give you these “fire doors” to respond effectively to a ransomware attack and minimize its impact:
- The ability to visualize traffic flows and the attack radius. Having a bunch of NetFlow data will not be helpful. In the moment, it is critical to have complete, automated application dependency maps and the ability to query the activity on any network port. Taken together, it becomes possible to see exactly where an attack is, has been, and is trying to go.
- Next is pre-set security policies that can close off parts of the network and create safe zones everywhere the attack has not yet accessed. This stops ransomware from spreading and creates the “clean zones” that infected machines will be moved into once they have been disinfected.
- Finally, tight boundaries must be placed around any compromised machines to eliminate connections to command and control networks, spread, or even reconnaissance. It is unlikely that network firewalls have enough granularity to do this. A pre-installed host-based segmentation solution ensures the correct capabilities are available when needed.
When active malware has been detected, everyone wishes they had these three capabilities, so it makes sense to implement them before they are needed. Effective containment will buy time for remediation activities to complete.
Truth #2: Eliminating risk is better than managing it
Once an attack is underway, there are lots of tools that promise to spot it and do something about it.
But there is an even deeper truth: an attack can only spread via open ports. If there’s no path, there’s no spread.
Every unnecessarily open port that is closed reduces risk. The size of the operational network shrinks, eliminating risk and reducing the attack surface.
How do you accomplish this?
- Close high-risk, high-value, and commonly abused ports. Most commercial ransomware uses a handful of well-known protocols to spread – like RDP and SMB that often do not need to be globally open. Most penetration specialists use standard tool kits to try to explore an environment and look for common vulnerabilities on well-known ports. In almost all cases, these well-known ports do not need to be globally open. Closing them doesn’t reduce risk; it actually eliminates all those vectors. Why manage what you can eliminate?
- Ringfence high-value applications. In the unfortunate event that something bad is discovered in your environment, the very first thought will be the highest-value applications and data. The likelihood is that the compromise will be detected at the edge or endpoint, but the concern is the “most important things.” At that moment, everyone will wish that they were fully ringfenced and had a tight Zero Trust Segmentation policy attached. Build that policy now — then it will be in place and those critical assets will already have eliminated most of the risk from a network attack.
- Control administrative access. Most organizations use jump hosts. Ensure that all forms of administrative access are tightly controlled to the users and jump hosts appropriate for the environment. No application or port should respond to random administrative access, particularly from the user environment. Radically curtailing all administrative protocols eliminates many classes of attacks.
Risks that don’t exist don’t have to be managed. And while no one technology eliminates the need for complementary technologies, it remains true that a solid base of targeted segmentation will eliminate huge amounts of risk of breach spread.
Truth #3: You need both Zero Trust Segmentation and EDR to stop ransomware spread
The best thing you can do to eliminate the spread of breaches is to deploy Zero Trust Segmentation in addition to an existing endpoint detection and response (EDR) product.
Bishop Fox recently conducted a series of emulated ransomware attacks in which attackers tried to compromise a network protected only with EDR and a network protected with EDR and Zero Trust Segmentation.
They found that while EDR was very effective at spotting and ultimately remediating many attacks, networks that were also protected by Zero Trust Segmentation contained attacks four times faster, and with radically fewer hosts compromised.
The better your segmentation policy, the more effective your EDR can be. Give your EDR superpowers by adding Zero Trust Segmentation to your deployment for maximal responsiveness.
Be prepared for inevitable ransomware attacks
Ransomware is a scourge of the modern user and compute environment. But effective preparations can be made to ensure that a breach is an event, not a catastrophe.
Investing in a quality set of proactive and reactive incident response segmentation policies will give your security team valuable controls in the critical first minutes of a response.
The teams that eliminate risk before an event will always have less to do than the ones that have left critical applications widely exposed and high-risk ports and management protocols wide open. And who wouldn’t want their EDR to work four times faster with lower amounts of compromised hosts?
The Illumio Zero Trust Segmentation Platform provides these foundational capabilities that will eliminate risk and improve response capabilities.That is exactly the kind of awareness this month is all about!
Join us next week as we bring new insight to why you should focus on Zero Trust Segmentation this Cybersecurity Awareness Month.