Reducing the threat of ransomware means we must go beyond zero trust

  • Mark Adams, Regional Sales Director, Northern Europe at Cohesity

  • 09.03.2022 09:15 am
  • #data

You’re highly likely to have heard about ransomware, it is everywhere. Presuming you haven’t been living under a rock for the last ten years, you will be familiar with a topic that has been very prevalent in the media in recent times. From meat suppliers in America, to media houses in the UK, international airlines, logistics companies and financial organisations. All industries are getting targeted; nobody is safe.

Last year, the US government stated that it now considers ransomware attacks to have the same priority level as terrorism.

In today’s day and age, businesses of all sizes and industries are aware of the importance of cyber resilience. However, just as organisations are better prepared to defend themselves, criminals are also now more savvy. Take the development of ransomware for instance. It's now more and more personal and has been a near-constant game of cat and mouse that has taken place for over twenty years.

The continued assault on backup and recovery

 Primarily, ransomware centred around encrypting production data and demanding a sum of money for the key. It was a fairly simple process, transactional, you could say. It’s very much still a part of it to this day. However, a few years ago, we witnessed the attack vectors expanding to encompass a direct elimination of backup and recovery files and targets. It's particularly mean as companies that had the forethought to backup their data at regular stages, now face data that is encrypted and harder to recover without paying the ransom.

Attackers have evolved further still. They don't just encrypt data and block recoveries. Today, they do data exfiltration, making threats to release the data on the dark web or put it up for sale on the public World Wide Web. This new addition to an attacker's arsenal is particularly concerning since no company works solo anymore. For modern organisations to be successful they need extensive relations with suppliers, customers, and partners. Is your business able to afford the brand damage and public shaming that cyber attackers now resort to? Most likely not. 

The total impact area for ransomware has grown, and this latest tactic is hard to defend against. As a consequence, it is becoming clearer that a perimeter defence approach is not enough, and threat defence and recovery are necessary. 

Data exfiltration: a new attack style

Whilst you may have advanced security arrangements, it can be hard to isolate illegitimate from legitimate communications on a network with no clear anomaly or change in the network behaviour. 

Hacking groups are savvy to this, so large-scale smash-and-grab style data exfiltration is often too easy to detect, and a more cautious approach is used with exfiltration.

Data exfiltration on a large-scale differentiates greatly in attack style from ransomware, and it’s necessary to use different skills and tools in order for it to be successful. Hackers are aware of this. 

Recent cases we have seen that use data exfiltration to encourage the victim more to pay the ransom have not encompassed large volumes of data. For instance, the attack against Allied Universal only encompassed the exfiltration of 5 GB of data, which is not a large amount by modern standards. Hackers carefully choose what data they are taking, going for low-volume high-impact data as opposed to stealing any large quantity. Using Allied Universal, as an example, it had sensitive business files and cryptographic keys stolen – not large swathes of personal data. So how do you adapt to this new threat?

For a number of years, large organisations have responded to security threats with a tactical "point tools" approach. When security operations grumbled that managing disparate tools had become problematic, vendors came back with common management and administration tools that sat on top of independent security technologies. This was not a perfect solution, but "good enough" for the newest threats that we encountered. However, point tools and cobbled together solutions are now not up to the task - in reality, they never were. 

The question then is, why? The answer is twofold. First, today's merger of large threat volume, changing threat vectors, advanced adversaries, and new targets simply overpowers status quo security defences. Second, with all those various tools comes the issue of bringing them all together or even being consolidated without creating blind spots that enable an attack to take place. 

Rebuilding trust

When an attack takes place, it's terrible. You feel sick to the pit of your stomach. It’s not just about recuperating data and systems; it's the heavier burden of letting down customers and stakeholders, suppliers, partners. We see businesses grapple with rebuilding the trust because enough wasn’t done to give themselves a fighting chance when they still had time. 

A Zero Trust model has been pushed by security vendors for a little while now. And it is an important defence mechanism to halt ransomware in its tracks. The phrase itself was coined over a decade ago by analysts at Forrester under the presumption that all network traffic should be thought of as untrusted. It is the modern option to perimeter-based security and is built on the principle 'never trust, always verify. 

There is the argument that a zero-trust security approach would have put a stop to ransomware attacks such as the Colonial Pipeline and JBS, by preventing it from advancing across the operations while keeping the operation running. 

But now that we’re in 2022, it is time to go beyond zero trust. 

For instance, putting money into software solutions that encompass data security and data governance in a single converged offer enables you to:

  • Utilise AI/ML-based classification technology to identify sensitive data — including personally identifiable information (PII) — in backup and production data and establish who has access to it, helping to harden environments before attacks occur.

  • Automate and simplify data classification with predefined policies for common regulations like GDPR, CCPA, and HIPAA to ensure that compliance and governance mandates are met.

  • locate behavioural anomalies in close to real-time, such as when a user suddenly accesses large volumes of sensitive data. This activity could be seen as a precursor to a data exfiltration event.  

  • Use remediation workflows as determined by policy through integration with leading security orchestration, automation, and response (SOAR) platforms.

Reducing the Blast Radius of Ransomware

As data exfiltration is becoming more prevalent, it must be apparent what data you have as an organisation, where it is stored, how it is classified and who works with it. Only then can it be clear whether deviant behaviour takes place within those datasets. Thus, data fragmentation is not only hard to extract the right information from, but also hampers installing appropriate security measures.

Taking this approach, we need to use the same approach as cybercriminals who utilise automation, machine learning and AI to create an environment to determine where the most valuable data is located. For instance, where are personal information, addresses or other forms of sensitive information? From a policy-based approach, you then begin to evaluate how you're going to protect the data and how it can be recovered.'

The issue arises when people consciously or unconsciously think too quickly about data and where they store it. So information is taken from the corporate share drive and put on their desktop, after which they forget all about it. Looking at the required data governance to go beyond zero trust, that can't take place because the moment it's apparent that data is in the incorrect place, a decision can be made to prevent access or put the data in isolation.

Obviously, the detection and response is not human work but rapid automated actions based on ML and AI. In this instance, systems learn what normal behaviour is and determine what takes place when actions deviate. This is why platforms must work together. There is strength in that unity. 

The increased use of data exfiltration coupled with ransomware requires a change in strategy. First, assess if you're currently preventing data exfiltration and exercise as many measures as possible to put a stop to it.

Cybercriminals will always continue to evolve, so should we.

Related Blogs

ISO 20022 Enhanced Data - The Golden Standard
  • 5 months 3 weeks ago 05:00 am
Data Compression Strategies
  • 6 months 1 week ago 08:00 am

Other Blogs