/
제로 트러스트 세그멘테이션

How Zero Trust Segmentation Stops Ransomware 4X Faster Than Detection and Response Alone

It is well documented that Zero Trust is a mindset and the base tenet is to assume breach. This may sound scary, but in reality, it means that you should assume that if your organization has not yet been breached, it is likely that it will happen. Security postures must change from passive and waiting to proactive and hunting. Why is this more important than ever?

The pandemic has accelerated business transformation, driving the introduction of automation and integrated supply chains, breaking down the traditional structure of networks and systems, and creating new levels of hyper-connectivity. A trip to the hospital is now an end-to-end digital experience. You can enter and leave a retail or bank branch without interacting with a human being.

This shift has created a substantial new set of attack vectors and opportunities for cybercriminals. Adopting the "assume breach" mindset that drives a more proactive approach is now the only way forward.

The good news is that there are a number of frameworks that can guide your organization in this approach. And the gold standard of frameworks is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

But how can implementing practices in the NIST CSF help your organization limit the impact of an inevitable breach?

Illumio commissioned Bishop Fox, a leader of offensive security and penetration testing, to quantitatively measure how by conducting a series of emulated ransomware attacks. In this post, we'll summarize the attack scenarios and key results. The full report is available here.

Building a more secure model: Identify, protect, detect, respond

The first two steps of the NIST CSF framework are well established and obvious:

Identify

  1. Determine which assets are most likely to be attacked and which assets will have the biggest impact if they are compromised.
  2. Map the data flows between all devices, IT and OT.
  1. Determine the vulnerabilities on each device to quantify the exposure of that device based on the mapped connections.

Protect

  1. Block all unused and high-risk ports and protocols.
  2. Implement ringfencing of assets and applications and allow access based on least privilege.

Step 3 (Detect) and step 4 (Respond) are where things have become fragmented.

We have progressed a huge amount from the days of signatures with the advent of machine learning, threat feeds and behavioral anomaly detection. When endpoint detection and response (EDR) first exploded on to the scene, it was viewed as the answer to all attacks on endpoints. As with all things cyber, the criminals have invested time and resources in trying to evade these new products. Too many organizations currently depend on detection and response without first implementing steps 1 and 2.

Until now, the understanding of the potential weakness of this approach has been apocryphal and word of mouth.

Testing the impact of Zero Trust Segmentation and EDR against ransomware

As part of the attack emulation, comparing implementing all four steps as opposed to just detection and response, the red team used a well-established set of tactics, techniques and procedures (TTP) from the MITRE ATT&CK and PRE-ATT&CK frameworks to attempt to infect hosts. The blue team used detection and response technologies combined with Zero Trust Segmentation from Illumio to measure the relative efficacy in containing an active ransomware attack.

Attack scenarios explained

The test scenarios included:

  1. Detection alone
  2. Detection and Zero Trust Segmentation for incident response
  3. Detection and Zero Trust Segmentation proactively blocking well-known ports used by ransomware
  4. Detection and Zero Trust Segmentation proactively implementing full application ringfencing

Each test measured whether the attack could be stopped and how long that would take, how many hosts were infected, and how many TTPs were executed. The scenarios were run by two Bishop Fox consultants: one acting as the red team (attacking) and one as the blue (defending).

Attack scenario results

/illumio-bishop-fox-ransomware-scenario-emulation-2022-assessment-report

Scenario 1 — Detection alone: This scenario was devoid of any Zero Trust Segmentation capabilities and resulted in complete success for the red team. They were able to execute all TTPs and infected all hosts after 2 hours and 28 minutes.

Scenario 2 — Detection and Zero Trust Segmentation for incident response: This model had Illumio deployed but initially in visibility mode, feeding alerts to the SIEM system, which was also collecting event data from EDR, active directory, Sysmon, etc. Upon detection of anomalous activity, the blue team deployed a containment policy. The attack was stopped in 38 minutes.

Scenario 3 — Detection and Zero Trust Segmentation proactively blocking well-known ports used by ransomware: In this scenario, common ports that ransomware uses were blocked by Illumio to reduce lateral movement. The attack was stopped after 24 minutes with only 2 hosts compromised.

Scenario 4 — Detection and Zero Trust Segmentation proactively implementing full application ring-fencing: Full application ring-fencing was deployed, resulting in no spread of the ransomware and the attack was stopped within 10 minutes. This result was 4 times faster than reactive deployment.

Additional testing showed that Illumio Core was “especially useful” at covering EDR blind spots in locations where attacker behavior wasn’t properly detected by preconfigured EDR alerts, highlighting the importance of both detection and response technologies and Zero Trust Segmentation in building a modern, resilient security strategy to contain ransomware.

These results combined show that EDR should be paired with Zero Trust Segmentation to be most effective against ransomware and other cyberattacks.

By adopting the Zero Trust mindset of "assume breach" and "only allow least-privilege access," an organization that deploys Zero Trust Segmentation with EDR can drastically improve its protection against ransomware. This can mean the difference between being able to operate during a cyberattack and major business failure.

Download the full report for more details, Ransomware Scenario Emulation 2022: Assessment Report.

관련 주제

항목을 찾을 수 없습니다.

관련 기사

인텐트 기반 네트워킹은 “실패한” 기술입니까?
제로 트러스트 세그멘테이션

인텐트 기반 네트워킹은 “실패한” 기술입니까?

IBN의 안정적이고 확장 가능한 특성 덕분에 Illumio와 같은 플랫폼이 어떻게 클라우드에서 안정적이고 확장 가능한 보안을 제공할 수 있는지 알아보십시오.

제로 트러스트 세그멘테이션은 CISA의 새로운 제로 트러스트 성숙도 모델의 어디에 포함됩니까?
제로 트러스트 세그멘테이션

제로 트러스트 세그멘테이션은 CISA의 새로운 제로 트러스트 성숙도 모델의 어디에 포함됩니까?

CISA의 업데이트된 제로 트러스트 성숙도 모델이 연방 기관이 사이버 레질리언스 목표를 더 잘 달성하는 데 어떻게 도움이 되는지 알아보십시오.

제로 트러스트 운영 — 1단계: 보호할 대상 파악
제로 트러스트 세그멘테이션

제로 트러스트 운영 — 1단계: 보호할 대상 파악

기술이 소규모로 배포되었으므로 임시 솔루션은 규모의 경제를 추구하거나 전반적으로 관련이 있을 수 있는 전략적 솔루션을 설계하는 것보다 관리가 용이하고 생산성이 더 높았습니다.

항목을 찾을 수 없습니다.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?