Adaptive Segmentationmicro-segmentation July 1, 2020

How Illumio Edge Prevents the Spread of Ransomware on Endpoints

Matthew Glenn,

In my previous post, we showed that the combination of malware and ransomware became prevalent because malware leverages lateral movement.

“…there was a moment of disbelief, initially, at the sheer ferocity and the speed and scale of the attack and the impact it had."- Lewis Woodcock, Moller-Maersk head of cybersecurity compliance, commenting on the impact of NotPetya

Following up on that post introducing Illumio Edge from last week, we will take a closer look at how lateral movement is used in attacks and how endpoint Zero Trust can make life harder for attackers.

Over the past few years, ransomware has driven headlines due to its ability to devastate entire companies or municipalities through self-propelled propagation. This can be self-replication (“ransomworms”) or attacker-controlled, live off the land attacks that move peer-to-peer and encrypt systems.

As we can see in the examples below, ransomware uses open ports to move between endpoints, like 3389 for RDP or 139 or 445 used for SMB.

ransomware open ports

Here is where Illumio threads the needle between productivity and security. We cannot close every inbound port on laptops if we want to run a business. There are legitimate business needs for those ports to be open – for instance, if you use Microsoft Teams. However, given how ransomware spreads, we cannot afford to leave unused ports open. That’s unnecessary surface area and a playground for bad actors.

Until now, there have been no tools on the market that allow organizations to see and understand the services and traffic occurring laterally, peer-to-peer between laptops. Nor have there been simple tools to reduce this peer-to-peer attack surface by closing ports in a way that is not time-intensive and hard to manage properly. To date, the best option has been throwing hours (and often bodies) at Microsoft Group Policy Object (GPO).

A Zero Trust workflow

We designed Illumio Edge to provide a simple first step to Zero Trust endpoint communications. That first step doesn’t require labor-intensive configuration and delivers first-ever visibility to prevent business disruption from blocking authorized communication.

The Illumio Edge administrator begins by selecting the peer-to-peer applications and services organizations want to permit, like Skype for business, Zoom, etc., which only takes minutes. Illumio Edge can also account for custom and/or less common P2P services.

With this policy in place, users can quickly activate Illumio Edge in enforcement mode. We recommend starting small, not for scale reasons, but to ensure that you feel comfortable deploying more. If you are uncomfortable going to enforcement quickly, Illumio Edge supports illumination mode, which allows you to “test” policies before moving to enforcement. Any traffic that would have been blocked had the device been in enforcement mode is logged as “Potentially Blocked.”

This workflow ensures that you can safely stop ransomware from propagating, but do so without breaking your business.

Deployment: Illumio or via CrowdStrike

Illumio Edge’s architecture is decoupled from the network to follow the user wherever it goes – on and off the network. Illumio’s lightweight agent, the Virtual Enforcement Node, or VEN, receives security instructions from the cloud-delivered Illumio Edge console, used to program the firewalling capability native to Windows on every laptop – wherever it is.

Organizations can deploy Illumio Edge directly from Illumio, compatible with Windows 7 and 10.

That said, existing CrowdStrike customers can also activate Illumio Edge using their Falcon agent. This delivers complete endpoint protection with state-of-the-art CrowdStrike prevention and Illumio Zero Trust containment, without the need to deploy an Illumio VEN. Joint customers gain the power of endpoint Zero Trust thanks to Illumio’s streamlined policy workflow that leverages the Falcon agent to program the Windows Firewall.

When the CrowdStrike agent is used, traffic data and heuristics are shared between the CrowdStrike SaaS and Illumio Edge’s SaaS. CrowdStrike customers gain visibility, and author firewall policies within Illumio, and have those policies be propagated via the CrowdStrike SaaS to the CrowdStrike Falcon agent – effectively making it behave like a VEN.

CrowdStrike customers can get started with Illumio Edge for CrowdStrike in the CrowdStrike Store.

Illumio Edge in action

So, how does it work? Let’s examine how we stop TrickBot from spreading and dropping ransomware onto systems. TrickBot is a banking Trojan that has evolved to include dropper capabilities so it can pull down other pieces of malware, like Ryuk ransomware, to the systems it has infected.

TrickBot gains its initial infections via email (no surprise). At that point, it spreads to other systems via SMB, port 139 or port 445, used for file and print sharing between systems. It contacts its C&C server to drop Ryuk onto systems, uses admin tools like PowerShell or PsExec to push ransomware onto machines, deletes backups, and then shadow copies and encrypts.

With Illumio Edge, the unfortunate initial infection via email will still occur. However, at that point, Illumio Edge will prevent TrickBot from spreading beyond the first system infected, having blocked the use of SMB. The rest of the attack is neutralized, as shown below, eliminating the spread and scope of the breach from the much smaller, contained attack surface.

Illumio Edge TrickBot

And like we said before, it does all this for the cost of a cup of coffee, per user, per month.

Illumio has made it simple to take the next step to protect your organization from the risk of massive malware and ransomware attacks.

For more on Illumio Edge:











Adaptive Segmentationmicro-segmentation
Share this post: