How to prevent ransomware attacks with a zero-trust security model

Ransomware attacks are rampant, with thousands taking place every single day. Learn how a zero-trust security model can protect your organization.

Ransomware

Image: kaptnali, Getty Images/iStockphoto

Ransomware attacks take place 4,000 times worldwide every day. The process is fairly straightforward—malware infects a target computer, and an attacker encrypts valuable data then sends the victim a notification demanding a ransom payment to release access to it. It’s a gamble: If the ransom is paid there is no guarantee the attacker will release the data.

SEE: Security incident response policy (TechRepublic Premium)

More about cybersecurity

It’s worth pointing out this is a real phenomenon which actually locks up targeted data; it’s not the same as a random email from a stranger stating they “have gained access to your devices, which you use for internet browsing” and “after that, I have started tracking your internet activities” whereby they proceed to accuse you of engaging in unsavory online behavior which they threaten to expose unless you send them Bitcoin. Those are safe to ignore. Ransomware cannot be ignored.

TechRepublic has offered many tips on combatting ransomware as well as strategies for being proactive about it. However, there is a zero-trust model to cybersecurity that can also help businesses stay secure.

Duncan Greatwood, CEO of Xage, a zero-trust security company, pointed out that a ransomware attack can be much more damaging than just preventing access to valuable data. That’s an inconvenience and a potential disruption to business operations, but when an energy or utility grid is compromised, this can lead to blackouts, gridlocks and—when safety mechanisms are breached—the release of toxic chemicals, oil spills, fires or explosions.

Furthermore, Greatwood pointed out, wealthy countries and businesses are prime targets for ransomware attacks. “The higher the expectation for service reliability, quality and trust, the more likely the business will be a target of the attack. For these companies the impact due to loss of revenue and reputation is much greater than the payout. They also have the working capital to pay the ransom. Utilities, oil and gas operators, pipelines, chemical manufacturing, and the food and beverage industry are prime targets,” he said.

The problem is exacerbated by the fact that as of late the skills required to execute a ransomware attack have been dramatically reduced. “Ransomware software packages exist along with millions of stolen access credentials on the dark web that allow people with relatively little technical background to effectively execute ransomware attacks. In fact, ransomware-as-a-service models are emerging with complete software offerings for hackers. Hacker groups are based all over the world with some concentration in Eastern Europe, China, Iran, Russia,” Greatwood said.

Identity-based access, frequent password changes and multi-factor authentication can help reduce the incidence of such attacks, but to be proactive Greatwood and I agreed that identifying the source of repeated, excessive login attempts and blocking such attempts are crucial to detecting and reducing the impact of ransomware attacks.

A zero-trust model is a valuable defense mechanism in blocking ransomware. “One of the most effective ways to prevent ransomware attacks is through the adoption of zero-trust architecture, the modern alternative to perimeter-based security. Built on the principle ‘never trust, always verify,’ a zero-trust security strategy would have prevented ransomware attacks like the Colonial Pipeline and JBS, by preventing it from spreading across the operations while keeping the operation running. 

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

The Colonial Pipeline attack as well as many other recent attacks (JBS, Brenntag, Oldsmar, etc.)  demonstrate that industrial operations lack the security controls across their operation to effectively identify, isolate and recover infected systems. Cybersecurity controls across the operations gives the operator the ability to control each interaction between applications, users and machines on an individual basis based on the identity and policy and with zero trust. When such controls exist they give the operator a method to prevent the attack from spreading and the operation can keep running even during an active attack,” Greatwood said. 

“Unlike traditional techniques, under which an attacker can exploit cyber weaknesses upon gaining access inside a network segment perimeter, zero trust treats the identity of each machine, application, user and data stream as its own independent ‘perimeter,’ allowing granular access policy enforcement. As such, rigorous security enforcement continues even in the event that hackers get into an operational or corporate network—and ransomware gets blocked from traversing between IT and OT systems,” Greatwood said.

Greatwood also emphasized that zero trust is especially crucial for companies in industries that have been slower to modernize, such as oil and gas, utilities, and energy. Due to their delayed digital transformation, as well as a mix of legacy and modern equipment, these companies are often the most difficult to secure.

“Cybersecurity and Infrastructure Security Agency recently published a set of guidelines specifically for industrial operations due to the rise of ransomware attacks in this sector. National Institute of Standards and Technology has also been updating its set of guidelines for protecting Industrial Control Systems from such attacks. Both are advocating for a defense-in-depth approach focusing on zero-trust with granular role-based access management for all interactions in the OT and especially in IT/Cloud environments,” Greatwood said.”

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

“Zero trust really means a way to control interactions between users, machines, apps and even data on an individual basis requiring authentication and authorization per security policy, vertically and horizontally and across multiple levels. Organizations need to implement controls throughout their environments—cloud, enterprise, control center, facilities, substations, wind farms, everywhere to be able to not only protect, but also quickly isolate infested systems, and recover operations,” he added. 

Here are the benefits (and requirements) of a distributed zero-trust cybersecurity system (cybersecurity mesh/fabric) as laid out by Greatwood:

  • No reliance on implicit trust zones, static accounts and firewall rules
  • Each identity (user, machine, app, data) forms its own perimeter protection
  • Access permissions controlled based on identity, role and policy
  • All interactions have “just-enough-access” enabled “just-in-time”
  • Unsecured protocols such as RDP, VNC, Modbus and their vulnerabilities are never exposed outside of the organization, instead proxied over TLS sessions
  • Unlike VPNs that put remote user devices (and potential malware on them) into networks, ZTA remote user devices are never inside the network (not even corporate)
  • Controls user-to-machine, machine-to-machine, app-to-machine, and app-to-data interactions and secures file and data transfer within and across OT, IT and Cloud 
  • Vertical (corporate and remote to control network) and horizontal (ICS site-to-site) access management
  • Driven by central policy management and enforced using distributed nodes (any asset, any location). The cybersecurity mesh with distributed identity-based enforcement is a top strategic trend for 2021, according to Gartner.
  • Overlays into existing OT/IT architectures with no network changes or systems changes (compatible with existing deployed base of workstations, HMIs, IEDs, etc.)

SEE: Expert: Intel sharing is key to preventing more infrastructure cyberattacks (TechRepublic)

Greatwood pointed out the risk of liability here: “Companies paying ransomware fees—the victims of ransomware—may also be exposing themselves to serious legal risk depending on the identity and origin of the hackers, since U.S. laws prohibit sending funds to certain organizations and people, such as terrorists or some organized-crime syndicates, and also prohibits companies from doing business with certain countries.”

Also see