The rising number and increasing severity of ransomware attacks are sufficient to prove that current cybersecurity strategies are simply not working. The fact is, today’s security approaches are far too focused on the network perimeter and too lenient when it comes to internal traffic. And since most users, devices and cloud-based applications operate outside of the corporate perimeter, the traditional approach of considering network location as the prime component of the security posture has now become obsolete.
What’s more, the perimeter-based approach is also insufficient from the perspective that if an attacker breaches the perimeter, it is extremely difficult to block or halt their lateral movement. Given this scenario, organizations are in dire need of a new security approach that is not just solely focused on network location. Enter zero trust.
What is zero trust?
Zero trust is a holistic security approach that assumes that no user, device or application should be inherently or automatically trusted. The zero-trust concept begins with the assumption that trust has already been broken (the environment has already been breached) and trust can only be established (or reinstated) based on the identity and the context of the request. Zero trust isn’t a particular technology. It’s a foundation upon which the entire security ecosystem is built; it’s an architecture of how security is delivered via the cloud, closer to where business assets and user activities are now centered.
How can zero trust prevent ransomware attacks?
Every ransomware attack contains a complex sequence of four key steps. First, the attacker discovers your attack surface—they stumble upon a vulnerable user or an internet-facing device that can be compromised. Second, they use compromised or previously leaked credentials to get unauthorized entry into user accounts, applications or devices, either through an exposed device or by luring users via phishing scams or other malicious content. Third, they move laterally. Attackers search for high-value data or crown jewels they can encrypt. Fourth, they exfiltrate your data. Attackers begin to encrypt files and leverage trusted SaaS traffic to hide malicious activities and exfiltrate the data.
But here’s the best part: Every single step in this process is an opportunity to block attackers and prevent them from being successful at causing a ransomware infection, and this is where zero trust comes in.
If an organization is able to align its infrastructure around zero-trust principles, it can easily halt attackers at every stage of the ransomware lifecycle. In case the organizational defenses fail at any point, it will still have multiple layers of protection that will stop the malware from spreading or prevent attackers from exploring the victim’s environment.
In line with the same sequence with which a ransomware attack unfolds, there are four key facets of ransomware prevention.
1. Eliminate the attack surface.
All applications, user and device identities should be hidden from the outside world. They should never be visible or discoverable from the public internet. Never permit inbound connections to web servers located within a network DMZ. If these servers are visible to the outside world, attackers can try to find vulnerabilities, exploit them and gain access to your environment. Instead, consider using a zero-trust network access (ZTNA) solution that permits only authorized users to connect to the network and access specific applications. Extend this approach to both managed as well as unmanaged devices and apply it to all applications, not just web apps.
2. Prevent initial compromise.
Run deep packet inspection for all traffic because this will not only give you full visibility but also stop malicious downloads, email-borne infections and malware. Application access should never occur through the open internet because this makes it easy for attackers to discover what’s in your environment. Secure application access through a zero-trust platform, as this makes them invisible to attackers. Deploy AI-powered phishing detection because this phishing is one of the top vectors for initial compromise. Check for cloud misconfigurations. Use AI-powered antimalware tools that can leverage behavior and context analysis to detect previously unseen ransomware variants. If feasible, use a good AI-based sandbox that can detonate files in a contained area and ascertain if they are safe to use.
3. Block lateral movement.
Leverage a proxy architecture to connect users and workloads to applications and resources rather than trusting traffic from an internal network or a subnet. By using such a micro-segmentation approach, organizations can limit lateral movement and minimize their blast radius in case a breach occurs. Again, using a zero-trust platform ensures that all policies are enforced, wherever or whenever business users connect to technology resources within the overall IT ecosystem. Enforce consistent least-privilege access controls and constantly monitor for policy, entitlement and configuration gaps. Consider employing active defenses like deception technologies that act as lures to draw attackers away from valuable data assets and serve as tripwires that sound alarms to your security teams.
4. Stop data theft.
Preventing data exfiltration is critical to your anti-ransomware strategy. This is because a majority of ransomware involves the theft of sensitive data along with its encryption. It’s also a good idea to implement data loss prevention (DLP) tools as these can identify and block leakage of data by inspecting northbound traffic in real time. Enforce “default deny” policies so that communication can be allowed with only known-good destinations. Use a cloud access security broker (CASB) to deploy granular controls over your cloud applications and greater visibility into unsanctioned cloud apps and software.
The U.S. government mandated that all federal agencies implement zero trust by 2024. It’s also worth noting that aligning infrastructure around zero trust is no easy task. Organizations may need a single, integrated interface or a zero-trust platform to implement the architecture and for its day-to-day management. Such platforms can truly be game-changers, especially at a time when enterprises are dealing with evolving threats like ransomware.