We’ve all seen the concepts of “resilience” and “emergency containment” in movie theaters and on TV. In outer space, the detection of a hull breach, or a deadly intruder, prompts the immediate, automatic closure of the hatches that separate different segments of a spaceship.
Resilience Is Science Fact, Not Science Fiction
In cyberspace, the inevitability of a breach must be presumed — and prepared for strategically and tactically. This presumption is what gave rise to John Kindervag’s groundbreaking research on Zero Trust as a resilience strategy.
Zero Trust Segmentation of the internal network is not only preventive, it also can be used as a highly targeted and effective mid-attack response, improving cyber resilience.
Cyber resilience can be manifested in at least three points in time:
- As a preventive measure: with the recent spike in successful ransomware attacks, the U.S. FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Homeland Security have asked organizations to implement Zero Trust Segmentation as a pre-attack measure, to limit the blast radius of a ransomware incursion.
- Mid-attack: a secondary “emergency ransomware containment switch” can be executed in the earliest stages of a ransomware attack — before an EDR- or XDR-based defense realizes the attack is underway.
- Post-breach, to accelerate recovery: if Zero Trust Segmentation telemetry and controls are installed during the recovery phase, visibility into how ransomware spread and the ability to bring critical systems online are accelerated.
This article focuses on the mid-attack phase. If Zero Trust Segmentation had been installed prior to the attack, a secondary set of “emergency” controls can be placed in standby mode in the cyber defender’s incident response runbook.
Managed service providers (MSPs), managed security service providers (MSSPs) and managed detection and response (MDR) vendors help their clients identify, build, test and stage multiple response options, based on different types of events and incidents. Many are using a security orchestration and automated response (SOAR) process to help automate the process flow across investigation, detection, and real-time response. That’s why this concept of an emergency ransomware containment switch is particularly effective in the hands of MSPs, MSSPs and MDR vendors.
Key to Mid-Attack Response: The Existence of Pre-Attack Telemetry and Control Mechanisms
In a previous article in this series, I described how pre-attack Zero Trust Segmentation will not only limit any malware’s blast radius but will also enable the earliest possible detection of a ransomware attack. This is attributable to the lateral movement tripwires and other telemetry that are installed pre-attack.
Now, let’s fast-forward to when a ransomware attack has started. The first network node has been infected with ransomware. The ransomware’s attempts to move laterally, and to communicate with a command-and-control server, are detected by the installed telemetry. By utilizing the traffic analysis enabled by the segmentation platform’s telemetry, the specific ports being accessed for attempts at command and control and lateral movement can be immediately shut down, in all or selected network nodes.
Alternatively, or in addition, certain nodes on the internal east / west network can be immediately quarantined before the MITRE ATT&CK stage of encryption is completed. Such real-time isolation can achieve at least three mitigations simultaneously by preventing:
- The ingress of ransomware into un-reached nodes, using a more restrictive level of segmentation than the initial preventive segmentation
- Already-reached nodes from fetching deadly encryption keys from the command-and-control server
- The spread of ransomware from already-reached nodes to other, untouched parts of the network
When It Comes to Cyber Resilience, Not All Preventive Measures Are Created Equal
All three pre-attack ransomware resilience measures recommended by the U.S. FBI, CISA, and DHS: Zero Trust Segmentation, multifactor authentication (MFA) and OS patching, are essential. But only Zero Trust Segmentation is equally useful simultaneously as a:
- Pre-attack measure that limits ransomware communication and propagation options
- Post-intrusion early detection tool
- Post-detection, real-time, targeted ransomware isolator
In 2021, far too many organizations found themselves dealing with a ransomware attacker after the final stage of the attack. By then, the ransomware had already spread across the entire internal network and identified its encryption targets, retrieved encryption keys, and completed the encryption and ransom stage. The consequences of disrupted operations, brand damage, ransom payout, post-ransom investigation, and mitigation (including post-breach Zero Trust Segmentation, mandated by the organization’s cyber-insurance carrier) are mostly avoidable, and collectively add up to a very expensive “cure.”
It doesn’t need to be that way. Before the next attack begins, enterprises can and must take most important step: deploying Zero Trust Segmentation, with all its associated preemptive attack restraints, attack detection and real-time, targeted containment capabilities. When it comes to ransomware, an ounce of preventive segmentation is worth more than a pound of cure.