Confinement des ransomwares

Comprendre les rançongiciels : le modèle d'attaque le plus courant

Digital transformation is now a number one strategic business goal. From Sydney to San Francisco, boardrooms are working out how best to harness the power of the cloud, AI, IoT and more to drive success. Their efforts are not only vital to create new customer experiences and streamline business processes. They are also critical to supporting the new hybrid working model rapidly emerging from the ashes of the pandemic.

However, the price organizations often pay for growing their digital footprint is expanding the cyberattack surface. This invites cyber risk — particularly the threat of damaging ransomware breaches.

Scores of ransomware developers and affiliate groups are currently operating around the globe. That means there are also a wide variety of attack tactics, techniques and procedures in circulation. But that doesn’t mean we can’t discern a primary modus operandi. Even better, we can take this general attack pattern and apply a simple three-step process to help mitigate ransomware risk.

This is the value of micro-segmentation based on comprehensive visibility into the communications of network assets and the common pathways used by threat actors.

This blog post will answer common questions about how ransomware works — and how to stop it.

Why does ransomware matter?

Ransomware reached record-breaking levels within the first three quarters of 2021, with one vendor recording close to 500 million compromise attempts globally. Attacks have evolved in recent years to the point where data exfiltration is now the norm, adding a whole new element of business risk. It means organizations can’t simply back-up data and cross their fingers. There’s a real risk of financial and reputational damage stemming from the data breach alone.

Today, so-called “double extortion” attacks could result in:

  • Regulatory fines
  • Lost productivity
  • Lost sales
  • IT overtime costs to recover and investigate
  • Legal fees (e.g., class action suits in the event of a data breach)
  • Customer churn
  • Declining share price

Every organization and every attack is different. While some commentators estimate the average financial impact at nearly $2 million today, some raids have cost victims hundreds of millions. That makes it essential to take proactive steps to counter the threat.

How does ransomware work?

The good news is that, despite the many variants and affiliate groups in operation today, we can discern a basic pattern to most attacks. In short, threat actors:

  • Hide inside networks for months before striking.
  • Exploit common pathways for initial network access and ongoing lateral movement.
  • Perform actions across multiple stages to achieve their goals.

Let's go deeper into each of these.

How do attackers go undetected for so long?

The goal for attackers is to stay hidden until they have built a strong enough presence inside a victim’s network to steal large volumes of sensitive data and deploy ransomware everywhere.

To do so, they:

  • Breach an asset that the organization didn’t know was vulnerable or exposed — be that a device, application or workload with an open connection to the internet and other network assets
  • Use pathways/data flows the organization didn’t know were open, and which should be closed according to best practice security policy
  • Compromise multiple systems spanning multiple functions, which makes it hard for teams to trace everything back to a single incident

How do attackers exploit common pathways?

Most ransomware arrives via phishing emails, RDP compromise or exploitation of software vulnerabilities. To increase the chances of success, attackers look for:

  • A small set of high-risk, popular pathways such as RDP or SMB. These are usually organization-wide, easily mapped, and often misconfigured.
  • Open ports and exploitable assets, via automated scans using scripts and crawlers.
  • Ways to move laterally at speed, using these high-risk pathways to spread organization-wide in just minutes.

How do multi-stage attacks work?

Most attacks begin with compromising a low-value asset, as these are usually easier to hijack. The trick for threat actors is then to move through additional stages to reach valuable assets that they can steal data from or encrypt, providing leverage when extorting the victim organization.

To do so, attackers usually:

  • Take advantage of an organization’s poor visibility, policy controls and segmentation.
  • Connect to the internet in order to download additional tooling to help with the next stages of an attack or exfiltrate data to a server under their control.
  • Cause most damage through lateral movement — which is the process of jumping around in the network from asset to asset.

Three simple steps to stop ransomware

With this typical attack pattern in mind, CISOs can begin to devise a response — a new security architecture based around three simple components:

1. Develop comprehensive visibility of communication flows across your environment

This will leave your attackers with nowhere to hide, unmasking them as they try to compromise the initial asset or during lateral movement.

To do so, you must:

  • Develop real-time visibility into all assets, enabling you to address any unessential or anomalous data flows.
  • Build a real-time map of the environment to identify which workloads, applications and endpoints must stay open and which can be closed.
  • Create a unified view of comms flows and risk data that all ops teams can work from, reducing internal friction.

2. Build ransomware-blocking capabilities

It’s not good enough to merely map communication flows and understand which assets can be closed. You need to take action to reduce the attack surface and block in-progress raids.

Do this by:

  • Closing as many high-risk pathways as possible and monitoring the ones remaining open in real-time.
  • Closing any ports that don’t need to be open, reducing the chances that automated scans will find exposed assets.
  • Creating an emergency containment switch that can be launched in seconds to restrict network comms in the event of an attack.

3. Isolate critical assets

The final stage is to prevent attackers from reaching critical assets, forcing them to take easier-to-detect actions to progress.

This will involve:

  • Applications de cloisonnement pour empêcher la compromission d'actifs de grande valeur.
  • Fermeture des connexions sortantes vers des adresses IP non fiables, en n'autorisant que celles qui se trouvent sur une adresse « approuvée »liste d'autorisation. »
  • Élaboration de mesures de sécurité post-violation pour protéger les actifs critiques et empêcher la propagation des attaques.

La riposte commence ici

Aucune organisation ne peut être totalement infaillible aujourd'hui. Les attaquants sont trop déterminés, disposent de ressources suffisantes et sont trop nombreux pour cela. Mais en mettant l'accent sur la visibilité du réseau, les contrôles des politiques et la segmentation, vous pouvez créer un architecture de sécurité plus intelligente plus susceptibles d'isoler la menace.

La plupart des acteurs de la menace sont opportunistes et recherchent un retour sur investissement rapide et facile. Suivez ces trois étapes pour perturber leurs plans et vous aurez de grandes chances d'éviter de sérieux compromis.

Pour en savoir plus :

Sujets connexes

Aucun article n'a été trouvé.

Articles connexes

Comment utiliser la visibilité basée sur les risques pour la protection contre les rançongiciels, la conformité, etc.
Confinement des ransomwares

Comment utiliser la visibilité basée sur les risques pour la protection contre les rançongiciels, la conformité, etc.

Découvrez comment identifier les risques de sécurité et obtenir la visibilité nécessaire à la protection contre les rançongiciels, à la conformité, etc.

Comment un cabinet d'avocats international a stoppé une attaque de ransomware à l'aide d'Illumio
Confinement des ransomwares

Comment un cabinet d'avocats international a stoppé une attaque de ransomware à l'aide d'Illumio

How Illumio’s ransomware defense quickly stopped an attack on a global law firm, while avoiding significant damage to their system, reputation and clients.

Placer la barre plus haut pour les attaquants : comment la microsegmentation peut protéger les entreprises contre les attaques similaires à celles de Kaseya
Confinement des ransomwares

Placer la barre plus haut pour les attaquants : comment la microsegmentation peut protéger les entreprises contre les attaques similaires à celles de Kaseya

Comment la microsegmentation aurait pu réduire la surface d'attaque et atténuer les conséquences de l'attaque de Kaseya.

Aucun article n'a été trouvé.

Supposez Breach.
Minimisez l'impact.
Augmentez la résilience.

Vous souhaitez en savoir plus sur la segmentation Zero Trust ?