Zero Trust and Remote Work: Identity-Segmented Access to Enterprise Network

The term ransomware attack refers to a particular malware and threat tactic that focuses on infiltrating enterprise networks and holding their critical files hostage through encryption. More advanced ransomware can hold entire servers and networks hostage via the same process. Either way, your users can’t access these necessary files or even log in with the files encrypted. Instead, your business must make a difficult choice. You can either pay the ransom the hackers ask to unencrypt your files or try to mitigate the predicament yourself.

For some businesses, this choice appears like anything but one. Many enterprises find the losses ensuing from downtime more punishing than just paying the ransom. Concurrently, ransomware could cost thousands upon thousands of dollars per attack. For instance, each of the recent U.S. municipal attacks cost an average of $400,000 apiece in ransom[1]; several of the afflicted municipal governments still elected to pay, despite the FBI counseling otherwise.

Additionally, some enterprises can’t afford to wait. Healthcare enterprises must provide immediate care to their patients, which precludes waiting for time-consumptive threat mitigation. To bypass making similar tough choices, prevention and mitigation can protect you in the short and long-term against ransomware attacks.

Recently Malwarebytes Labs detected ransomware rose by 500%[2]. Partially, we can condemn the Dark Web. Plenty of enterprising threat players now sell or rent Ransomware-as-a-Service (RaaS) to the young cybercriminals looking to turn a profit. These programs make launching ransomware attacks straightforward and effective, with minimal coding associated.

More than that, ransomware presents hackers with an easy means to exploit enterprise digital vulnerabilities. Certainly, ransomware can exploit security holes as several as open ports, phishing emails, and software vulnerabilities. Thus, ransomware suggests flexibility most hackers, especially newcomers, find appealing. So long as they can access your files, they can launch a ransomware attack against you.

Changing Dynamics of Endpoint Security

An average IT department handles thousands of endpoints across its network. These endpoints include desktops and servers and laptops, tablets, smartphones, the internet of things (IoT) devices, and even smart-watches and digital assistants. Each of these endpoints can become an open door for cyberattacks. That’s why endpoint visibility is critical.

Airgap Defense: Airgap’s Zero Trust Isolation technology blocks all unauthorized movement within the corporate environment, from managed or unmanaged devices.

While today’s antivirus solutions can identify and block many new types of malware, hackers are constantly creating more. An IT department may implement various endpoint security solutions and other security applications overtime to bolster security. However, multiple standalone security tools can complicate the threat detection and prevention process, especially if they overlap and produce similar security alerts. A better approach is an integrated endpoint security solution, particularly for work from home conditions.

Airgap Defense: Airgap’s Zero Trust Isolation technology complements EDR/NGAV solutions ensuring that endpoints are segmented, implementing rules and policies transparently and automatically.

In other words, criminals have realized that the most subtle and effective way to wield control over a system is to use the same operating system components and system administrators’ methods. Some of the tools commonly exploited for LotL (Living Off Your Lan) attacks include PowerShell scripts, VB scripts, WMI, Mimikatz, and PsExec. Some of these are administrative and troubleshooting tools already in the environment and won’t set off alarm bells when an attacker uses them.

Living Off Your Land attacks (LotL attacks)

The term “living off the land” refers to fileless, malware-less attacks that turn a system’s native tools against them[3]. Bad actors use legitimate programs and processes to perform malicious activities, thereby blending into a network and hiding among the legitimate processes to pull off a stealthy exploit.

Attackers have always exploited a target environment and then pushed their tools onto target machines, including backdoors, rootkits, harvesting tools, and more. With living-off-the-land techniques, the attacker uses the compromised machine itself and components of its operating system to attack that system further and to spread to other machines in the environment. So, the compromised machine’s operating system becomes, in essence, the attacker’s toolkit. The attacker uses its resources and places them on the network to undermine the entire targeting environment.

“Ransomworm”

The power of the recent phishing attack is that it has been a self-replicating worm. That suggests that as one account got compromised, the automated script recognized all the victims’ contacts and sent each one an email. And when these people received that email — from a sender they know — many of them clicked via and fed the fire. This clever use of a known identity was what led to the volatile spread of the attack. With built-in language support for all significant countries and a powerful delivery mechanism, the attack is bound to stimulate additional attacks.

Ransomworm can distribute itself utilizing compromised accounts and would therefore inherit the credibility of its phishing attack[4] “father” by creating emails from friendly contacts to be received by the next round of victims. And the ransomworm would, of course, obtain the lexical fluency of its ransomware “mother” — making certain that the message the next round of victims obtained is in the same language as what the sender and receiver normally use to interact. The most likely means the ransomworm would infect your computer is using a method that bypasses traditional security technologies, but also some advanced endpoint security solution. WannaCry used unpatched vulnerabilities, but many other benefits are like social engineering end-users to make a poor security decision and run malicious software.

The Endpoint Gap to Fill

We have a clear picture that the endpoint security of any organization will occasionally abstain from malware. We know that malware will then often look to propagate since lateral flow is a key threat. This could lead to a data breach.

Airgap Defense: Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent-pending Zero Trust Isolation platform assures threat propagation protection. Airgap’s solution can be deployed in minutes,

This gap in endpoint protection must be discussed. This brings into focus the need for additional measures beyond endpoint security tools like NGAV or EDR to stop ransomware and malware from spreading once inside. This is where Zero Trust comes back into the conversation.

In its 2020 “Evil Internet Minute” security intelligence report, RiskIQ found cybercrime necessitates the global economy $2.9 million every minute[5]. Cyber-threats progress at a speed of 375 per minute. Meanwhile, every endpoint connected to the Internet faces 1.5 attacks per minute[6]. Also, every 24 minutes, a new vulnerability is discovered. We have seen rapid development in the endpoint security space over the past decade with the emergence of next-generation antivirus (NGAV) and endpoint detection and response (EDR) tools.

Next-generation endpoint security & next-generation antivirus (NGAV) uses modern artificial intelligence (AI), machine learning, and tighter integration of network and device security to offer more comprehensive and adaptive protection than conventional endpoint security solutions. Next-generation endpoint protection combines real-time analysis of user and system behavior to analyze executables, allowing users to detect fileless “zero day” threats and core advanced technologies before and during execution, and take prompt action to block, contain, and roll back those threats. In addition to addressing threats, next-generation tools also proactively learn from threats and continuously accommodate methods to combat them with greater speed and efficiency.

Zero Trust on the Endpoint

Endpoint security products defend and collect data on endpoints’ activity, while network security products do the equivalent for networks. To effectively combat advanced threats, both require to work together. An integrated platform strategy that combines endpoint and network security is the only way to achieve holistic protection and achieve the Zero Trust model across your entire security architecture. This program must be part of everything we do to prevent wherever traffic occurs, everywhere data lives.

Four criteria must be satisfied to extend Zero Trust to the endpoint:

1. Endpoints to be protected with multiple layers of security

Traditional security measures disappoint if an attacker finds a way to circumvent the weakest link by dispensing malware or exploiting application vulnerabilities. It is more efficient to layer network and endpoint protections together so that if an attacker captures in bypassing one measure, they will be defied with another, making it progressively more difficult for them to succeed. The purpose of network security is to stop as many attacks as reasonable — be they malware, phishing attacks, or exploits — from attaining an endpoint through the network.

Airgap Defense: Airgap’s Zero Trust Isolation technology makes every endpoint a zero-trust endpoint, complementing EDR/NGAV solutions with fully automated policies to monitor, control, and prevent lateral movements.

2. Combination with Network Security

Extending Zero Trust to the endpoint interlaces endpoint security with network security for a single, holistic security architecture. Intelligence obtained on the endpoint should be fed into the Campus and Network protection systems and vice versa. Policies should be arranged on the security equipments such that if the endpoint experiences an event, that endpoint can be isolated until it can be fully scanned and refined.

This is true also when the users connect via VPNs.

Airgap Defense: Airgap prevents any lateral scanning attempt. If under Zero Trust, an intruder breaches the perimeter controls, compromises a misconfiguration, or bribes an insider, they will have extremely restricted access to sensitive data, and safety measures would be in place to identify and respond to suspicious data access before it becomes a threat.

3. Handling Multiple Kinds of Endpoints

All businesses have multiple kinds of endpoints that must be managed, such as servers, desktops, workstations, laptops, tablets, and mobile devices. To harden security posture and complete Zero Trust, endpoint protection needs to integrate with a set of firewall policies so that security policy supports the endpoints, no matter where they are. Multi-factor authentication, or MFA, should be implemented on a next-generation firewall for scalability and move the vulnerability line farther away from critical applications. This synthesis must not negatively affect system performance so that users will not discern security running in the background and potentially try to eliminate or close security tools.

Airgap Defense: Airgap’s Zero Trust Isolation technology ensures that only the first victim could, eventually, be infected, but makes sure that ransomware cannot propagate.

4. Layer 2–7 Access Control

When executing Zero Trust across your security architecture, ensure traffic is inspected for malicious behavior both as it enters and leaves the endpoint. It’s common for endpoints to assess traffic for possible threats as it enters the network. It is less common for traffic to be assessed as it leaves the network under the hypothesis that the user and the user’s activity are valid. However, if a user is compromised, an attacker could be exfiltrating data or intellectual property from the endpoint or using the compromised device for other nefarious activities.

Airgap Defense: Airgap’s Zero Trust Isolation technology blocks all unauthorized movement within the corporate environment, as well as the remote working environment.

In a vibrant and constantly evolving threat environment, it is clear that, for any enterprise, a secure perimeter is no longer an option. Zero-day attacks effortlessly bypass signature-based defenses, and social engineering can trick users into executing malware using “trusted” credentials. Leveraging the Zero Trust model as part of a complete security architecture provides enterprise architects and administrators with a better way to combine and connect their defenses.

About Airgap

Ransomware threats are growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your data center. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out https://airgap.io

References:

https://www.sophos.com/en-us/content/ransomware-attacks.aspx

https://www.knowbe4.com/hubfs/Endpoint%20Protection%20Ransomware%20Effectiveness%20Report.pdf

https://www.cisco.com/c/en/us/products/security/zero-trust.html

https://www.comodo.com/advanced-endpoint-protection.php

https://www.crowdstrike.com/blog/going-beyond-malware-the-rise-of-living-off-the-land-attacks/

https://securityboulevard.com/2020/09/what-are-living-off-the-land-attacks/

https://www.fortinet.com/blog/threat-research/new-ransomware-follows-wannacry-exploits

https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/notpetya-timeline-of-a-ransomworm/

[1] https://www.sungardas.com/en-us/blog/ransomware-attacks-on-us-government-entities/

[2] https://resources.malwarebytes.com/resource/cybercrime-tactics-and-techniques-ransomware-retrospective/

[3] https://blog.emsisoft.com/en/29070/fileless-malware-attacks/

[4] https://innotechtoday.com/ransomworm/

[5] https://www.infosecurity-magazine.com/news/cybercrime-costs-global-economy/

[6] https://www.mcafee.com/enterprise/en-us/threat-center/mcafee-labs/reports.html

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io