It is well documented that Zero Trust is a mindset and the base tenet is to assume breach. This may sound scary, but in reality, it means that you should assume that if your organization has not yet been breached, it is likely that it will happen. Security postures must change from passive and waiting to proactive and hunting. Why is this more important than ever?
The pandemic has accelerated business transformation, driving the introduction of automation and integrated supply chains, breaking down the traditional structure of networks and systems, and creating new levels of hyper-connectivity. A trip to the hospital is now an end-to-end digital experience. You can enter and leave a retail or bank branch without interacting with a human being.
This shift has created a substantial new set of attack vectors and opportunities for cybercriminals. Adopting the "assume breach" mindset that drives a more proactive approach is now the only way forward.
But how can implementing practices in the NIST CSF help your organization limit the impact of an inevitable breach?
Illumio commissioned Bishop Fox, a leader of offensive security and penetration testing, to quantitatively measure how by conducting a series of emulated ransomware attacks. In this post, we'll summarize the attack scenarios and key results. The full report is available here.
Building a more secure model: Identify, protect, detect, respond
The first two steps of the NIST CSF framework are well established and obvious:
Determine which assets are most likely to be attacked and which assets will have the biggest impact if they are compromised.
Determine the vulnerabilities on each device to quantify the exposure of that device based on the mapped connections.
Block all unused and high-risk ports and protocols.
Implement ringfencing of assets and applications and allow access based on least privilege.
Step 3 (Detect) and step 4 (Respond) are where things have become fragmented.
We have progressed a huge amount from the days of signatures with the advent of machine learning, threat feeds and behavioral anomaly detection. When endpoint detection and response (EDR) first exploded on to the scene, it was viewed as the answer to all attacks on endpoints. As with all things cyber, the criminals have invested time and resources in trying to evade these new products. Too many organizations currently depend on detection and response without first implementing steps 1 and 2.
Until now, the understanding of the potential weakness of this approach has been apocryphal and word of mouth.
Testing the impact of Zero Trust Segmentation and EDR against ransomware
As part of the attack emulation, comparing implementing all four steps as opposed to just detection and response, the red team used a well-established set of tactics, techniques and procedures (TTP) from the MITRE ATT&CK and PRE-ATT&CK frameworks to attempt to infect hosts. The blue team used detection and response technologies combined with Zero Trust Segmentation from Illumio to measure the relative efficacy in containing an active ransomware attack.
Attack scenarios explained
The test scenarios included:
Detection and Zero Trust Segmentation for incident response
Detection and Zero Trust Segmentation proactively blocking well-known ports used by ransomware
Detection and Zero Trust Segmentation proactively implementing full application ringfencing
Each test measured whether the attack could be stopped and how long that would take, how many hosts were infected, and how many TTPs were executed. The scenarios were run by two Bishop Fox consultants: one acting as the red team (attacking) and one as the blue (defending).
Attack scenario results
Scenario 1 — Detection alone: This scenario was devoid of any Zero Trust Segmentation capabilities and resulted in complete success for the red team. They were able to execute all TTPs and infected all hosts after 2 hours and 28 minutes.
Scenario 2 — Detection and Zero Trust Segmentation for incident response: This model had Illumio deployed but initially in visibility mode, feeding alerts to the SIEM system, which was also collecting event data from EDR, active directory, Sysmon, etc. Upon detection of anomalous activity, the blue team deployed a containment policy. The attack was stopped in 38 minutes.
Scenario 3 — Detection and Zero Trust Segmentation proactively blocking well-known ports used by ransomware: In this scenario, common ports that ransomware uses were blocked by Illumio to reduce lateral movement. The attack was stopped after 24 minutes with only 2 hosts compromised.
Scenario 4 — Detection and Zero Trust Segmentation proactively implementing full application ring-fencing: Full application ring-fencing was deployed, resulting in no spread of the ransomware and the attack was stopped within 10 minutes. This result was 4 times faster than reactive deployment.
Additional testing showed that Illumio Core was “especially useful” at covering EDR blind spots in locations where attacker behavior wasn’t properly detected by preconfigured EDR alerts, highlighting the importance of both detection and response technologies and Zero Trust Segmentation in building a modern, resilient security strategy to contain ransomware.
By adopting the Zero Trust mindset of "assume breach" and "only allow least-privilege access," an organization that deploys Zero Trust Segmentation with EDR can drastically improve its protection against ransomware. This can mean the difference between being able to operate during a cyberattack and major business failure.