While New Year’s Day often means waking up with a nasty hangover, the currency exchange firm Travelex had a much ruder awakening on the first day of 2020. Overnight, a ransomware attack had virtually shut down the UK-based company’s business, taking multiple internal and customer-facing systems out of service for several weeks. Eventually, according to the Wall Street Journal, the company paid the attackers around US$2.3 million (£1.65 million) for the restoration of undisclosed assets.
Ransomware has returned to the threat landscape with a vengeance, and the costly Travelex attack is indicative of its new look – bigger targets, bigger demands, more sophisticated attacks and more serious consequences. Speaking at the 2021 Vincent Briscoe Lecture for the Institute for Security, Science and Technology, Jeremy Fleming, director of GCHQ, the UK’s intelligence and cyber agency says ransomware has become a serious threat, both in terms of scale and severity. Increasingly, he says, it targets crucial providers of public services, as well as businesses, as criminals play on our dependence on technology.
No longer the realm of entry-level hackers seeking comparatively measly sums, ransomware attacks are going after global institutions, government agencies, critical infrastructure, transportation networks and healthcare systems. According to the Verizon 2020 Data Breach Investigations Report, ransomware now accounts for 27 percent of all malware incidents. Researcher and publisher Cyber Security Ventures has predicted that the cost of ransomware globally will hit US$20 billion (£14 billion) over 2021, making it “the fastest-growing type of cybercrime.”
This surge is prompting enterprises to re-evaluate their security posture specifically for resilience against this type of attack. Much of this effort is focused on endpoint protection platforms (EPP) and detection and response solutions (EDR). Knowing that email is the number-one attack vector, orations are looking at email security solutions and staff education on the handling of suspicious communications. All of these measures play important roles in the ransomware defense arsenal. But because email attacks exploit human misjudgment, none of these techniques will ever be 100 percent effective.
Preventing lateral movement with segmentation
A comprehensive ransomware security architecture needs to address the core threat that such attacks pose – namely the ability of an attack to move laterally within the network once it has successfully gained entry, whether via a phishing email or endpoint vulnerability. Ransomware works by encrypting important files, rendering them unable to perform tasks, deliver services or allow access to critical data. Communication between endpoints creates a conduit for ransomware to spread among devices and servers to maximize the infection and encryption points. Lateral or “east-west” movement is critical to the success of an attack. If the malware can’t spread beyond its landing point, the attack becomes ineffective. Therefore, in addition to email and endpoint security, robust ransomware defenses must include a solution to thwart lateral movement in order to prevent attacks from achieving their objectives.
Segmentation – the practice of separating or isolating different areas of the network from each other and restricting communications among them – is the key to preventing lateral movement of attacks. However, traditional segmentation methods such as firewalls and VLANs are costly and cumbersome to implement and maintain. In view of the trend toward agile DevOps and accelerated deployment of new applications, network firewalling is challenged to keep pace with the demand for ever finer and more complex segmentation, lacking the agility security teams need to stay a step ahead of nefarious actors. Recent years, though, have seen the advancement of a more flexible, less costly and faster implementation alternative: software-defined segmentation, which allows teams to quickly create, enact and enforce segmentation policies at a very granular level, even down to specific critical applications and processes.
Five steps to a more robust anti-ransomware posture
A well-orchestrated segmentation strategy will enable security teams to identify and contain ransomware attacks in progress. To succeed, such a strategy must incorporate five key elements:
- Visibility: First, operators need to be able to visualize and identify every application and asset running in the network environment, and to map the dependencies and data flows among them. This is the essential starting point for an effective segmentation strategy. Advanced visibility capabilities allow security teams to quickly map critical assets, data and backups and to identify vulnerabilities and risks. By gaining a comprehensive view of the entire network environment, response playbooks and security policies can be quickly activated during an outbreak.
- Segmentation policy creation: With visibility established, security teams can then leverage software-defined segmentation to create security policies that restrict communications between users, applications and devices – effectively creating zero-trust micro-perimeters around critical applications, backups, file servers and databases. This is key to blocking lateral movement attempts.
- Threat detection: Segmentation policies will block any attempt to gain unauthorized access to a secured asset. Any blocked attempt should serve as a signal that a potential threat is present in the network, alerting operators to initiate an investigation.
- Dynamic deception: Detection of a threat should automatically activate deception agents to engage, investigate and contain the intrusion. Successful segmentation strategies should incorporate reputation-based detection functionality that generates alerts to the presence of known malicious domains and processes. This also extends to network scanning attempts that signal intruder reconnaissance efforts.
- Remediation: Once a threat has been confirmed, operators again need visualization capabilities to assess the scope of the attack and implement isolation rules to disconnect infected areas of the network.
Stop attacks in their tracks
Ransomware attacks succeed by taking over multiple assets and endpoints to immobilize an oration. Only when they have gained control will the attackers issue their ransom demands. The goal of this five-step approach is to catch the culprits red-handed – after the break-in, but before they’ve had a chance to grab the goods.
The sheer volume of data breaches reported tells us they are very difficult to stop. To prevent falling victim to ransomware, orations need a plan for dealing with threats that have already penetrated the network. Preventing lateral movement through granular application segmentation enables you to stop the spread of a ransomware attack in progress, before it has reached all its targets, thereby minimizing the damage to critical network operations and the risk of dire financial consequences – or worse.
Dave Burton, VP cybersecurity communications, Guardicore